Network Computingwww.networkcomputing.com

Corporate security is an extremely slippery topic. People love to talk about it, but few seem to get their hands around it. Therefore, we shouldn't have been surprised when we inquired about the state of information security and received feedback from more than 500 organizations.

More than 80 percent of our respondents said they determine the need for, evaluate and specify which security products to purchase--so we definitely heard from those in the trenches. Nearly 90 percent have implemented firewalls and virus-protection software, and more than 60 percent think their security policies are both relevant and up-to-date. What's the No. 1 security-related product people are looking to add in the next 12 months? More than 42 percent cited intrusion-detection systems. Most claim they have the basics down and are moving to more complex protective measures.

Finally, when we asked organizations about their overall attitude toward their information security policies, only 15 percent responded that they wished they still had their "blankies." This could be a good sign, as people are confident in their security endeavors--or at least they no longer covet soft, inanimate objects.

Organizations claim to be on top of their security policies, are spending money on security and security products, and say this spending will increase over the next few years. So we've got to ask, What's the problem? Why are corporations worldwide continuously getting pummeled? Heck, if RSA Security can't keep its Web site from getting hacked (see www.attrition.org/mirror/attrition/2000/02/12/www.rsa.com/), how can the rest of us be so confident? (OK, so RSA's DNS got hacked and people went to the hacked site instead of the real one--but the result is the same.)

Although we can draw some interesting conclusions from our survey, our observations have less to do with trends and more to do with a larger problem. Companies are starting to take security seriously--a good thing--but perceptions are still in dire need of adjustment. It's almost as if the industry is in denial: "We've got our security down...or we think we do, anyway." For example, we found it particularly curious that while more than 60 percent of all respondents think their security policies are up-to-date, only 23 percent of them review their policies at any reasonable level of frequency--i.e., weekly or monthly. Another trend that doesn't quite match up is the apparent desire to outsource. If confidence is so high, why are more than 54 percent of the organizations outsourcing their firewall management, and 34 percent outsourcing their virus-protection efforts? Perhaps confidence is so high because there is someone else to blame. On the staffing front, 63 percent of the respondents claim they have no dedicated IT security staff. Either our respondents employ some of the most security-conscious administrators around or their strategies have some serious holes. It just doesn't add up.

So it appears that we can look forward to a definite interest in security, and increased product sales. It appears that intrusion detection will be a hot item this year. And it appears that many organizations are confident in their approaches to information security. Yet as computer crime statistics skyrocket, we are led to believe otherwise. Or maybe we're just too darn cynical. Maybe the fact that organizations don't have full-time security staff just means they've taken security to the next level and have integrated it into their business processes. After all, who filled out this survey? Network Computing readers--that's who. And we all know that group is already ahead of the pack. For the complete results of our survey, see img.cmpnet. com/nc/1105/graphics/f22.pdf.

Greg Shipley, a Chicago-based contributor, works for the Neohapsis network security assessment team. Send your comments on this article to him at gshipley@neohapsis.com.