Trouble is, while companies are building the technical infrastructure for creating secure systems and networks, many are doing so without instituting the processes, procedures and training for their IT and other employees on the front lines of security management. Even with enforcement centralized into a single group, the actual administration of security, such as the daily moves/adds/changes required for users to access systems, is typically the responsibility of the network administrator. The network administrator is most likely to be in charge of securing systems, including firewalls, VPNs, authentication servers, extranet directories and PKIs (public key infrastructures), for instance.

The bottom line is that the network administrator is not a security specialist. If a company wants to deploy its network administrator this way, it also needs to train him or her in security software, processes and procedures. It needs to develop security-management policies that are common across the organization and applied consistently for password updates and for adding or deleting user accounts, for example.

But because network security is relatively new and lacks experienced individuals, most groups are understaffed. So they off-load security administration to the network administrator. About half the network administrators surveyed recently by the Meta Group say they are responsible for security. Smaller organizations, not surprisingly, lean more heavily on their network administrators for security: nearly half of organizations with 1,000 to 5,000 employees use their network administrators as security staff, and more than one-third of organizations with more than 5,000 employees use their network administrators for this role, according to Meta Group research.

Recipe for Disaster

Often, companies run their security operation on two levels. The senior security manager, such as the CISO, is responsible for collecting and reviewing business requirements and "selling" upper management on the types of security systems and processes the company needs. This security professional also develops security policy, in cooperation with representatives from the business units.

The second level is the security staff -- which is often the network administrator, or security managers, who work with IT groups to embed security standards within the technical infrastructure. The network administrator handles day-to-day password changes and other user account tasks.

This split in the security policy and implementation can lead to disaster. The security manager, not the network administrator, should oversee things like regular password changes across all security services at the same time to reduce end-user confusion and forgotten passwords. He or she also should ensure that password standards are maintained across the organization and that user accounts are added or deleted from all system resources, not just some. The security manager and staff should handle security reporting, logging and audits (firewall scans, password checks) to ensure proper compliance. All too often, however, the network administrator handles these tasks -- without adequate preparation or training.

The key is for the network side of the house to incorporate security elements at the start of an upgrade or other projects. That means working closely with the security manager.

And effective security is not the sole responsibility of the security domain team or the CISO, either: Companies need to ensure that all employees are responsible for some aspects of security. The central security group should develop a general strategy based on conceptual and technical architecture principles and then apply it to the entire IT infrastructure. The job of end users is to create unique user IDs/passwords based on the company's password policy and standards. Even end users need some training; all the security technology in the world won't work if users act carelessly, e-mailing a proprietary document over the Internet without encryption or creating an easily guessed password.

When you define and implement security policies, some due diligence goes with them -- communicating them clearly through presentations, not cryptic memos and publishing security policy on intranets, for instance. Security policy should be part of new employee orientation, too.

Close to Home

Global 2000 organizations traditionally haven't outsourced their security operations, because they mistrust service providers and are concerned about confidentiality and performance. Security's increasing clout in most IT organizations and the scarcity of security professionals that speak fluently in information security and business initiatives have prompted some organizations to pay CIO-level salaries to CISOs. Headhunters specializing in information security professionals have also started to appear.

The high demand for these skills has created a significant market for information security training and certification, as organizations look to educate and develop security people from within. Programs from training organizations such as the SANS Institute, MIS Training Institute and the Information Systems Security Association are proliferating.

Most organizations should not outsource the responsibility for security. It's important to retain ownership of these functions in-house. The exceptions are vulnerability assessment and infrastructure design. There's plenty of pressure to hire outside talent because of a lack of personnel, but Meta Group discourages turnkey security outsourcing.

Meanwhile, there aren't enough people in the organization with the proper training and knowledge about security to defend against intrusions and problems. This will change, however, as the technology matures with more proactive tools, and security experts are "grown" within the organization. But for now, security administration still will be delegated to the network administrator, and the central security group -- in charge of policy -- needs to step up and ensure consistent administration across all systems.