Winner: Integration
It's not surprising that, strapped as they are for resources and time, security professionals want products and suppliers that let them do their jobs with minimal hassle.

Integration with existing networks is the capability survey respondents say they most look for in a product. Tools that don't work well within an existing architecture can be worse than ineffective--they can create new risks.

The next-most-sought-after features were performance, second; and high availability, third.

When it comes to choosing a vendor, reliability is again key. The most highly desired quality in a vendor is responsiveness to product security problems, followed by reputation.

Readers rank E-mail-borne viruses and worms as carrying the highest risk among the threats listed in this year's survey, followed by unknown vulnerabilities in commercial products and Web and custom applications. Hansen is surprised that E-mail viruses and worms rank so high. Most antivirus software does a good job, she says, though browser-based attacks present a major and growing problem.

Perceived Threats
Respondents rank internal attacks as a relatively low threat, despite the plethora of research that shows that internal attacks, or those committed by employees, are a major threat. Last year's poll showed similar results, with external attacks being ranked riskier than internal ones by a wide margin.

While internal threats may in fact be a greater risk than external threats, Donahue says that's only because the organization has managed to eliminate or mitigate serious external threats.

"We've spent so much time and effort on containing external risk that we have brought it down to the point that it's become more likely that we'll be exposed to an internal risk," he says. There's a level of trust that's part of the IT-employee relationship, he says, and if background checks come back clean, Donahue has done his due diligence and it's reasonable for him to assume the best from his staff.

There's more than that at work in security managers' thinking, Hansen says. Quite often, it's the external breaches, not the internal ones, that get IT security professionals fired. Other times, IT security staff might not even be made aware of how serious internal threats can be. Also, security managers sometimes tend to see internal threats as more of a human-resources problem than an IT one.

Among the technologies deployed by readers, antivirus ranks highest on the perimeter, on internal networks, on desktops, and for messaging security. Antivirus software and similarly older, more-robust applications are common within organizations because they're "low-hanging fruit," Hansen says. Moreover, they present good metrics that can be shown to higher management. "Those are the kinds of things that allow you to say, 'Hey, I'm providing value to the organization,' " she says.

And to a large extent, being able to show value is the name of the game for IT security managers who are struggling to meet intensifying threats and surging compliance requirements with inadequate staff and budgets. Still, most IT security experts continue to find workarounds and fixes to handle their security needs, despite the lack of support they sometimes receive from executive management.