When does too much information become an impediment to decision making? That's the dilemma facing security pros as they wade through E-mail security alerts sent to them by vendors and independent researchers. The key to knowing which security alerts to pay attention to is knowing your IT environment.

Connie Sadler, Brown University's director of IT security, filters information based on what her environment's biggest point of risk is. "I'm most concerned with network access control and network registration because we have so many people visiting the campus," she says. "It depends on the type of incident and who we perceive might have information on it." Sadler isn't convinced there's one information source that IT pros can rely on. "You can't look to one place to get what you need," she says. "It can be very frustrating and draining at times."

Health care companies have the added pressure of adhering to government regulations protecting patient data. "I have eight people on my staff, and we all subscribe to our own mailing lists," says John Delano, information security officer at Integris Health. He relies on information from vendors including Cybertrust, McAfee, and Microsoft, and he wants to create a general mailbox where he and his staff can share information.

The amount of security research being done will grow as companies identify it as a competitive differentiator and independent researchers respond to cash bounties for finding the next big vulnerability. Symantec reported 3,800 vulnerabilities in commercial software last year, using a staff of about 300 people, including freelance researchers.

Much of the research has focused on the largest software providers, so there's a lotleft to be done. "We're going to see a rise in the amount of research," says Neel Mehta, team lead for Internet Security Systems' X-force research arm, which has 10 full-time security researchers. "A lot of emerging technologies have to be examined for security risks."

Dennis Brixius, chief security officer at publisher McGraw-Hill, wants any information he can get because threat assessments must be made based on a company's IT environment. "What are your key applications? What are they running? What's happening on those machines?" he says. "Knowing your inside environment is the best way to filter this information."

Continue to the sidebar:
10 Infamous Moments In Security Research

Return to the story:
The Fear Industry