Outsourcing is also a potential solution for companies--both small and large--that can't find enough qualified security staff members. DuPont already outsources some of its security functions to Computer Sciences Corp. And Newmont Mining will consider outsourcing to fulfill some of its security needs, though Kesl has some trepidation about doing so. "It's maybe not the optimal situation," he says. "How do you continuously monitor the security practices of the service provider you choose to outsource to? But we may have no other choice."

Newmont Mining isn't the only company to have reservations about this approach--just 19% of survey participants say they consider it a priority to turn over some of these functions to a third party in the next year. There are reasons to be concerned, says VanDercreek. When Gazelle.com decided to co-locate its Web site (though not for security reasons), "the first step in deciding who would host our site had to be visiting their site and determining whether they had sufficient levels of security," VanDercreek says. Finding a host who took security--including the physical security--of its operations seriously wasn't easy. "There were plenty of co-location companies I walked into where I could have reached and hit power switches, pulled cables, and completely knocked their site out," he says.

Security firm IFsec doesn't see the shortage of security professionals getting better. "Schools aren't churning them out fast enough, and the government is hiring all they can, taking even more potential security professionals out of the public job market," says CEO Remnitz. "My gut feeling is that there just aren't enough people on the planet to get all of the work done that needs to get done."

Despite that, companies are beginning to use more tools to protect their information. Virus-detection software, firewalls, and automated data backup are already installed in more than half of the respondents' infrastructures. Virtual private networks, intrusion-detection systems, digital certificates, secret key cryptography, and message authentication codes are also claiming a spot in these environments, though they have yet to crack the halfway penetration point among businesses of all sizes.

It's no simple task to actually make all these technologies function at optimal levels.

DuPont would be in a bind if it relied on the usual methods to painstakingly troll through a plethora of standalone applications, checking each log and trying to investigate each alarm the apps generate. To avoid this, the company adopted e-Security Inc.'s Open e-Security Platform, a framework that integrates security event data in real time from application logs, intrusion-detection systems, and firewalls, and presents that information at a single console. "Without a tool like this, there's no way we could possibly know what's going on in our network in real time," Paszko says. "How secure are you if you can't see that?" With such tools, he adds, "there's no reason why security managers should be forced to fly blind in large areas of their network at any given time."

Paszko isn't alone in his search for simplicity. Lack of time, the complexity of security technology, the pace of change, and capital expenses ranked as the most significant barriers to effective security within respondents' companies. And even as security managers wrestle with a new wave of security products, they're grappling with managing tried-and-true access controls, such as user passwords. Basic user passwords ranked as the No. 1 access control for protecting information systems, well ahead of single-sign-on software, one-time passwords, and hardware-based authentication, with 64% of respondents claiming use of the feature. But they're not necessarily happy with relying so heavily on that approach.

"You're only going to be as strong as that weakest link you have," says Charles Wang, chairman and CEO of Computer Associates, which last month delivered version 6.5 of eTrust Single Sign-On, new software that integrates single-sign-on and access-control capabilities for client-server and Web applications. Wang jokes that employees who used to stick Post-it Notes with passwords to their PCs are taking a more "sophisticated" approach. "Now we hide them under the keyboard or under the desk," he says.

It should come as little surprise that the use of additional access controls is increasing. The use of single-sign-on software more than doubled to 32% this year, while one-time passwords leaped from 18% in 1999 to 26% in 2000. The use of hardware-based authentication is up from 15% to 29% in this year's survey.

When Newmont Mining's Kesl started searching for a secure way to allow the company's transportation partners to log on to its network to speed business transactions, he had a number of concerns about the access-control choices available. "We just didn't feel comfortable with [basic user] passwords, and smart cards seemed expensive to implement and maintain," he says.

Kesl solved the problem by issuing ActivCard Inc.'s ActivCard One to provide an authentication "token." Users simply enter a personal ID number on the credit-card-sized token keypad and press 'enter' to create a secure, one-time-use password that's then displayed on the keypad screen. The tokens are inexpensive ($40 each) and easy to deploy, Kesl says. "We are very comfortable with this level of security," he says. "We didn't have too much of a problem getting our partners to use ActivCard, and it's much easier to support and maintain than a smart-card solution."

What's happening with a company's data beyond its perimeter, with the growth of business-to-business exchanges and marketplaces, is adding a new dimension to the security equation. GE Global eXchange Services (GXS), which sets up and provides security for marketplaces such as BevAccess.com, a marketplace for the alcoholic beverage industry, says there are ways to ensure that data is handled securely within the marketplace.

For starters, GXS systems connect to the marketplace via a secure IPsec VPN connection, and marketplace customers can use a Secure Sockets Layer connection, says Guy Fisher, general manager of Internet component architecture at GXS. To keep transactions and private information in the marketplace safe from potential snoopers within the community, GXS has established a multilevel authentication process, letting the customer choose the level of security it's most comfortable with. "If someone says a user ID and password is secure enough for them, we'll set it up," he says. GXS can also establish public key infrastructure certificates for online authentication, with the highest level of additional security often being a token mechanism or a biometric authentication device.

The bigger issue, Fisher says, isn't setting up the secure infrastructure. "The problem is getting multiple marketplace partners to agree on what level of security is high enough," Fisher says. "We can have one partner happy with IDs and passwords, but another company saying that only token-based access is good enough. In a marketplace, the lowest common denominator between individual companies sets the security standard. Getting everyone to agree on a reasonable level of security is the challenge, not the technology."

continued...page 3
return to page 1