Network Security Is In A Shaky State: Survey

Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.

The third annual Strategic Deployment Survey conducted by Secure Enterprise, an InformationWeek sister publication, polled more than 1,500 IT-security pros about their companies' security and their tactics for dealing with challenges. Follow-up interviews provided even more details on the state of IT security.

Shortfalls in security staffing and budgets aren't new, of course. But what makes the situation more nerve-racking are the regulatory risks and compliance requirements that fall to the IT security department, adding cost and work at a time when budgets are growing only moderately, if at all. Case in point: One multibank holding company with 500 employees and assets of almost $2 billion recently implemented monitoring, encryption, and intrusion-prevention technologies to assist its adherence to the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Health Insurance Portability and Accountability Act. But the company's chief information security officer, who asked to remain unidentified, still has a bleak security outlook.

"Our staffing levels are inadequate and have an impact on our ability to maintain systems in accordance with our policies and standards," he says. "This problem won't improve. Hopefully, we can do more automation and less hands-on administration and monitoring."

He's not alone in his pessimism. The survey shows IT security staffing almost unchanged from last year--and, in a word, deficient. Forty-four percent of this year's respondents describe their security groups as moderately understaffed, with 21% saying they're severely understaffed. Last year, those numbers were 45% and 20%, respectively.

"I've yet to meet anyone who has all the staff and money they need," says Peter Clissold, information security manager at the Edmonton Police Service, one of Canada's largest law-enforcement agencies. The agency lacks well-segregated IT security roles and doesn't have the staff to carry out demonstrable audit or review exercises, Clissold says. However, he adds, the organization has identified its security gaps and has managed to get support from executives to address those shortfalls.

Managing expectations is important for handling staffing inadequacies, Clissold says. It's vital to define what should be expected from IT security groups--and what they expect from management--to deliver an expected level of service. Security managers must know their business and be innovative and resourceful. "We must be skilled communicators and negotiators with those in senior positions," he says.

Being resourceful often means having users take more responsibility for security measures, says Justin Bell, a security specialist at a Wisconsin engineering consulting firm. Bell's IT staff sends out a monthly security newsletter and E-mail messages that get users to perform tasks that IT might normally handle. For example, during a recent switch from static IP addresses to the Dynamic Host Configuration Protocol, Bell's group took advantage of users' efforts and cut its workload to 30 machines from 360.

Linked to frustration about understaffing is concern that not enough IT dollars are earmarked for security. And sometimes, IT-security managers say, that translates directly to greater organizational vulnerability.

Shrinking Dollars
The survey shows shrinking numbers at both the high and low ends of IT security budgets. Significantly, only 16% of this year's respondents say less than 1% of their IT budget is spent on security, down from 19% who made the same claim last year. However, the portion of readers who put their security budgets at 16% or more of their IT spending shrank as well, down to 7% this year from 9% last year.

"Budgets are increasing, but they're still a sliver of the overall budget," says Kelly Hansen, CEO of information-security consulting firm Neohapsis and a columnist for Secure Enterprise.

Around 38% of respondents say 1% to 5% of their IT dollars go to security. But the majority of security professionals aren't satisfied with their budgets--to the point of sometimes feeling helpless.

For Jody Simmonds, IT security architect at the Washington state Department of Health, part of the problem is that her security office doesn't have its own budget. Instead, security must draw money from the agency's network-services budget. "Security should have its own budget," she says. "We're at the mercy of another section, and they may have different priorities."

Although Neohapsis' Hansen sees security budgets increasing somewhat, she acknowledges the compliance onus that has fallen on security managers. Moreover, she says, vulnerabilities unrelated to compliance are increasing. External attackers, for instance, "used to be 15-year-old kids but are now sometimes linked to organized crime."

Several diverse factors influence how security managers spend the money they have based on a diverse set of drivers. The top five drivers in this year's survey were improved business practices, auditing regulations, industry standards, security breaches from external sources, and legislative regulations.

Despite staffing and budgetary shortfalls, IT security managers continue to implement new security procedures and dedicate staff specifically to security. Twenty-nine percent of respondents, up 1% from last year, describe their IT security structure as a formal dedicated team. The portion of organizations that use individuals within IT to carry out security as only a secondary part of their jobs fell to 35%, down from 40% last year.

Other organizations are building an overall "culture of security." Even when a dedicated security staff exists, the job often involves educating IT and non-IT staff about security risks and needs.

"Everyone plays a role in security, and security is everyone's responsibility," says Kim Milford, information security officer at the University of Rochester. Training and awareness are critical aspects of the school's security program. Part of the university's IT security staff's work is helping employees understand their roles and responsibilities, providing guidance on risk assessment, and implementing controls.

Complex But Secure

Sometimes security managers find themselves working within complex security structures, answering to various supervisors and drawing on myriad sources of assistance. That's the situation for Tim Donahue, security manager for the U.S. Army's Distributed Learning System, which conducts online training for soldiers.

"Our structure is complex, but it's complex in that the Army places extraordinary emphasis on information security," says Donahue, who is the sole person dedicated to security within the learning system. A contracting firm runs the enterprise-management center, however, and lends its own security engineer. Various entities in the Department of the Army handle information security, and Donahue can reach out to them as necessary on issues from troubleshooting to compliance monitoring.

Survey results also show a growing commitment to put higher-level people in charge of security. Last year, only 12% of survey respondents reported that their organizations had a chief security officer. This year, that number rose to 18%. Similarly, only 12% of last year's respondents said they had a chief information security officer; this year, that figure climbed to 22%.

One pronounced shift from last year: the importance of compliance issues for assessing risk before information-security purchases. Regulatory compliance and noncompliance issues ranked fifth among methods for assessing risk in 2004, with just less than half of respondents saying they look at compliance before making security purchases. This year, compliance ranked first at more than 60%, leapfrogging input from peers, internal audits, informal risk analyses, and penetration as a method for gauging risk.

Neohapsis' Hansen isn't surprised that compliance hit the top spot as a risk-assessment driver. Rather, she's perplexed it took this long. "There's a general lack of awareness among IT security professionals about what role they're going to play in compliance," she says.

Part of the problem is that IT security pros still haven't learned how to "talk the talk" of compliance, Hansen says. Once they do, they'll find they have a bigger voice when it comes to getting budget outlays and the support they need to do their jobs. IT gets more clout when it's the company arm delivering adherence to regulations for which executives are sometimes held personally responsible.

"The emergence of HIPAA and other laws that regulate security and privacy also has helped to move information security from a technical control to a business control," says the University of Rochester's Milford. "Prior to HIPAA, info security was considered a binary switch: 'Just make it secure.' But now it has become part of the risk assessment an organization must go through to determine how best to conduct business."

The Sarbanes-Oxley Act leads the way when it comes to regulations with which organizations must comply. About 42% of readers say they have to adhere to Sarbanes-Oxley, followed by HIPAA at 38%; the Federal Privacy Act of 1974 at 35%; and the USA Patriot Act at 26%.

Winner: Integration

It's not surprising that, strapped as they are for resources and time, security professionals want products and suppliers that let them do their jobs with minimal hassle.

Integration with existing networks is the capability survey respondents say they most look for in a product. Tools that don't work well within an existing architecture can be worse than ineffective--they can create new risks.

The next-most-sought-after features were performance, second; and high availability, third.

When it comes to choosing a vendor, reliability is again key. The most highly desired quality in a vendor is responsiveness to product security problems, followed by reputation.

Readers rank E-mail-borne viruses and worms as carrying the highest risk among the threats listed in this year's survey, followed by unknown vulnerabilities in commercial products and Web and custom applications. Hansen is surprised that E-mail viruses and worms rank so high. Most antivirus software does a good job, she says, though browser-based attacks present a major and growing problem.

Perceived Threats
Respondents rank internal attacks as a relatively low threat, despite the plethora of research that shows that internal attacks, or those committed by employees, are a major threat. Last year's poll showed similar results, with external attacks being ranked riskier than internal ones by a wide margin.

While internal threats may in fact be a greater risk than external threats, Donahue says that's only because the organization has managed to eliminate or mitigate serious external threats.

"We've spent so much time and effort on containing external risk that we have brought it down to the point that it's become more likely that we'll be exposed to an internal risk," he says. There's a level of trust that's part of the IT-employee relationship, he says, and if background checks come back clean, Donahue has done his due diligence and it's reasonable for him to assume the best from his staff.

There's more than that at work in security managers' thinking, Hansen says. Quite often, it's the external breaches, not the internal ones, that get IT security professionals fired. Other times, IT security staff might not even be made aware of how serious internal threats can be. Also, security managers sometimes tend to see internal threats as more of a human-resources problem than an IT one.

Among the technologies deployed by readers, antivirus ranks highest on the perimeter, on internal networks, on desktops, and for messaging security. Antivirus software and similarly older, more-robust applications are common within organizations because they're "low-hanging fruit," Hansen says. Moreover, they present good metrics that can be shown to higher management. "Those are the kinds of things that allow you to say, 'Hey, I'm providing value to the organization,' " she says.

And to a large extent, being able to show value is the name of the game for IT security managers who are struggling to meet intensifying threats and surging compliance requirements with inadequate staff and budgets. Still, most IT security experts continue to find workarounds and fixes to handle their security needs, despite the lack of support they sometimes receive from executive management.