This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
More U.S. companies say they're spending enough to win the information-security battle. Have companies found the right balance of risk and cost, or are they dropping their guard just as threats get more vicious?
More companies are successfully fending off attacks or limiting damage. Only 45% of companies in the 2003 InformationWeek security survey say they fell victim to computer viruses or worm attacks, a big decline from the 70% that reported successful attacks in the 2001 survey. The second-highest category of attack, denial of service, hit only 19% of companies. And total annual losses from security breaches have plummeted from about $456 million in 2001 to around $202 million in 2002, according to the 2003 Computer Security Institute/FBI Computer Crime and Security Survey.
Another change is that more money for IT security products and people aren't seen as the only answer. For the past two years, almost 60% of respondents to the InformationWeek survey cited capital expense as one of the most significant barriers to IT security. This year, 44% do. Another barrier to effective security, lack of time, fell from 51% last year to 37% this year.
But the battle to secure IT systems is far from over. Some 49% of managers say the most significant barrier to effective security is the increasing sophistication of threats. In January, the SQL Slammer worm slowed Internet performance and infected roughly 75,000 systems in about 10 minutes. It was the fastest-spreading worm in history and resulted in $1 billion in damage and cleanup costs globally, according to some security experts. In February, Data Processors International, a company that processes credit-card transactions, had its systems breached and may have had as many as 8 million credit-card numbers stolen. And late last year, an insider at Teledata Communications Inc. allegedly accessed credit files of more than 30,000 consumers, which included customers of Ford Motor Credit.
Despite these high-profile incidents, it appears the reduction in successful attacks and losses caused by those attacks has prompted some companies to shift their priorities from buying security systems to better managing the ones they have. "The initial security big bang, where companies came in and established their policies and made big security purchases, may be over," says Bill Stevenson, information-security officer with New Century Mortgage Corp., a residential mortgage-services company. "Many companies may be focusing on managing security and auditing their systems."
Tighter IT budgets play a role in shifting priorities as well. "People can't keep throwing money at the security problem. The strategies have to change," says John Pescatore, a Gartner research director. The IT advisory firm estimates companies will spend, on average, 5.4% of their IT budgets on security in 2003. "Next year, a lot of companies are going to ask if they really need to get to 6% or 10%. Many companies will conclude they've gotten to the right level. A lot of companies are going to decide that they've thrown a lot of stuff at security and that they now have the right balance."
As companies get a clearer understanding of the threats and costs, they're better able to measure the value of security systems and weigh that spending against other initiatives. "From a budgeting point of view, security is just another part of the IT budget, and it's competing hard for high priority along with everything else," says Lloyd Hession, chief information-security officer for Radianz, a network-services provider for financial-services companies.
Many executives characterize the transition not so much as a drop in security's importance but as an increase in companies' preparedness. "I've not seen a drop in priority here," says John Hartmann, VP for security and corporate services at Home Depot Inc. "In recent years, there was a significant ramp up, and people spent more time and attention on security. Now security is more in place in a lot of organizations."
The survey results support the proposition that most companies have the fundamentals of security in place. Most of them have network firewalls (81%) and antivirus software (79%) and are using VPNs (71%), access management, and other security applications. As a result, businesses may believe they've invested heavily in security and are reluctant to keep up the pace of spending. "2002 was also a pretty slow economic year, and it just makes sense that security spending increases would drop in line with that," Hartmann says.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2021 State of ITOps and SecOps ReportThis new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!