No Time To Relax - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:30 PM

No Time To Relax

More U.S. companies say they're spending enough to win the information-security battle. Have companies found the right balance of risk and cost, or are they dropping their guard just as threats get more vicious?

As companies weigh advanced security against other IT-intensive projects, many don't see security delivering higher revenue. Security experts say that's why many businesses' spend as little as possible on IT security. Yes, some companies have invested in the latest security gear, such as centrally managed personal firewalls, application firewalls, and security-event monitoring applications. But they're in the minority. "The business guy is asking: 'What's the downside of not spending heavily on security?'" Radianz's Hession says. "Unless you're heavily regulated, you don't have a compelling business driver to spend on security. If you ask people at regulated companies how much they're spending on security, they'll tell you that they're spending the least amount of money possible so the regulators won't shut them down."

Regulation is the fastest-growing reason for security spending--59% cite legal or regulatory requirements as a justification, up from 49% last year. New federal and state regulations, such as the Health Insurance Portability and Accountability Act and California's security-disclosure law, cover the protection of customer information and reporting of security breaches, forcing some businesses to spend more. The only reason cited more often is liability, which at 70% is about the same as last year. Just 41% of survey respondents cite a potential revenue impact as justification, down from 48% last year. About a quarter cite a partner or vendor requirement.

Most companies haven't deployed more-sophisticated security applications outside of basic firewalls and virus-detection software. Only 32% have intrusion-detection systems, 34% have personal or user firewalls, 43% monitor employee Web usage, 30% have application firewalls, and 23% use vulnerability-assessment tools. Those numbers have changed little in the past two years. In addition, only 28% conduct security training for systems and network administrators, and only 23% have a security-awareness campaign, a keystone to any well-designed security program. The number of companies providing security training and conducting security-awareness programs has declined in the past two years, survey results show.

Companies that have spent heavily on advanced security now face the challenge of making those systems work effectively. Firewalls and intrusion-detection systems can generate a flood of alerts and other kinds of data, so the increasingly important task is finding the serious threat among thousands of minor alerts. That's why some buy applications to help them manage their security systems and analyze the data they produce.

Mike Engle, VP of information security at Lehman Brothers Holdings Inc.

By using Addamark software, Lehman VP Engle focuses on getting a better understanding of security-related network data

Photo by Evan Kafka/Redux
Lehman Brothers Holdings Inc. last year deployed Intellitactics Inc.'s Network Security Manager to monitor and correlate security events that occur across the investment bank's systems and applications, which include firewalls, intrusion-detection systems, operating systems, and E-commerce apps. Large companies such as Lehman have dozens of systems that collect and report information about user access to applications, network traffic, potential virus infections, failed logon attempts, and related data. At Lehman, that can amount to as many as 40 million system events a day. "It's hard to analyze that data without getting it together and putting it into one common place where it can be queried easily and efficiently," says Mike Engle, VP of information security at Lehman.

The large volume of security data made it difficult to respond when a Lehman business unit asked for information about something that may have occurred on the network. Engle or his staff had to spend hours searching logs for the answer. "One query I performed on proxy logs took eight hours to complete," he says. Using Addamark Technologies Inc.'s Omnisight to consolidate security- and application-activity logs, Engle says, research that took hours can be completed in minutes.

Security Hurdles

Whether it's better management or better tools, IT security will always be a balancing act between risk and cost. After several years of fast-growing security budgets, there's a marked change in executives' attitudes--they believe they've at least caught up to the threats that face company networks. "Management is now placing bets that it's better to spend IT dollars on things other than security," Radianz's Hession says. "And there haven't been many events to show that that's a bad bet for most companies."

Of course, that could change if business networks and information systems are successfully attacked and damaged by new, unforeseen threats. An attack that results in crashed systems for a long period of time or the very public theft of confidential customer data could get executives pushing security higher up on the urgent list--and opening their wallets all over again.

Illustration by Richard Downs

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
3 of 3
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll