FRAMINGHAM (10/08/2003) - The best place to start is with what "The State of Information Security 2003" survey doesn't include. It doesn't include some stark bit of data that will make you slap your forehead and exclaim, "Oh, that's the problem!" It doesn't include figures that suggest a secret formula for setting a security budget. Nowhere in its hundreds of pages of raw numbers will you find
The Answer, because The Answer is a fiction, even if the problem is not. Information security is a difficult, nuanced and immature craft. Silver bullets are for people who aren't serious about solving the problem.
What this survey does include, in its depth (more than 7,500 respondents) and intricacy (44 questions cross-tabulated by company size, security budget, geographical region and dozens of other categories) is a comprehensive profile of the imperfect and evolving world of information security.
According to the survey findings, it seems you're all just now coming to terms with information security as a problem. You understand that fixing the problem won't be easy--that it will take a complex combination of infrastructure, education, proactive risk analysis and regulation. But at the same time, you seem to be hoping against hope that an easier way out will present itself. You know you need to do more, but the survey shows that you're not yet doing it. It's the classic economic principle known as the Problem of the Commons: Information security is a problem, but it's not my problem.
And one can hardly blame you for taking such a stance. Information security, right now, is a confused and paradoxical business. For example:
- You've increased spending significantly, and you're told this is a good thing, and yet it has had zero effect in mitigating security breaches.
- You're constantly warned about "digital Pearl Harbors," and yet the vast majority of incidents you report are relatively small, don't last long and don't cost much.
- You're told that aligning security and business strategies is a top priority, and yet those who have fared best in avoiding breaches, downtime and security-related damages are the least likely to be aligned with the business.
But in another sense, you seem to be contributing to the confusion.
Respondents who suffered the most damages from security incidents were two times more likely than the average respondent to plan on decreasing security spending next year.
Those with the most damages were nearly half as likely to list staff training as one of their top three priorities.
A quarter of you neither measured nor reviewed the effectiveness of your information security policies and procedures in the past year.
In short, the survey shows that as much as the nascent information security discipline has grown since its baptism--on Sept. 18, 2001 (one week after the terrorist attacks and the day the Nimda worm hit)--it hasn't much improved with age.
Can we suss out any prevailing trend at all? If there's one there, it's hard to tell. In this particular survey, trends drift aimlessly. Positive correlations are rare. What you do about information security and what actually happens seem only vaguely allied.
Except for one case, where a connection was clear. In this survey, confidence in security correlates to better security, irrefutably. In other words, those who feel like they're doing better, are doing better.
What follows are the five cuts we made of "The State of Information Security 2003," including the aforementioned confidence correlation. Each provides insight into some aspect of this confused and complex discipline. In one, there's even a calculation--an innovative method for benchmarking security spending called the per capita expenditure.
Forget silver bullets. Hard data, and lots of it, is what you need to start improving information security. And here it is.
It is frustratingly difficult to find any relationship at all between good security and spending. And sometimes there's even a negative relationship.
Companies with US$500,000 or more in damages were more than twice as likely to plan to cut security spending as companies that suffered no monetary loss in damages.
What the Numbers Mean
Since companies' size, and therefore their budgets, varied so widely across the survey's more than 7,500 respondents, the relative measure of security spending as a percentage of the overall IT budget provides a better comparative measure than the total spent on security. The mere single percentage point between the highest spenders and lowest spenders (when cross-tabulated with breach data) shows that those suffering fewer security incidents don't necessarily spend more to stay secure--or, to flip it over, those who are hit the hardest by breaches aren't spending any less than those untouched.
So you can't accuse the companies suffering breaches of not spending enough. But perhaps they're not spending well. The hardest question for IT security officers to answer clearly isn't How much should we spend? but rather How should we spend?
The answer: Probably by devoting less to technology.
Security expert Bruce Schneier thinks the wanton deployment of technology hasn't helped because it hasn't been matched by a similar deployment of the soft stuff--training, education and awareness.
"Computer security folks are always trying to solve problems with technology, which explains why so many computer solutions fail so miserably," he says. "Most of the time, the security problems are inherently people problems, and technologies don't help much."
Take photo IDs, for instance. Schneier says that technologists want to add this or that to make IDs harder to forge, but what about the people who bribe the issuing officials to get real IDs in fake names? (At least two of the9/11 terrorists did that.) The technology that makes an ID harder to forge doesn't solve that problem.
In addition to the willy-nilly deployment of technology, some companies are also not using the technology to its full potential.
Consider that seven out of 10 survey respondents used intrusion detection systems, eight of 10 used firewalls, and nine of 10 used antivirus software. But only 50 percent of events were detected through those technologies or through security service providers managing those technologies for a company. The other half were detected the hard way--by customers, colleagues or news outlets alerting the company of a breach, or worse yet, by the damages the event caused.
Companies have deployed so much technology, and it has generated so much data in the form of log files, that they have given up trying to interpret the data. The haystack has gotten too big to look for needles in it, says Andrew Toner, partner in PricewaterhouseCoopers' security practice. "When (organizations) give up, that's when breaches are going to happen."
One interpretation for the disturbing trend of budget cuts by companies that were hit hardest by hacks is that they just gave up. Another possible explanation is that these companies are hard hit by something else--the economy--and they are cutting budgets across the board regardless of security breaches.
But it's just as likely that they've decided that the money they had spent was money down the drain. Why? Information security, for whatever reason, hasn't yet adopted risk management as a philosophy. It's still treated binarily: Either you're safe, or you're not. Either the money you spent worked, or it didn't. And that must change.
"People think in terms of threats, not in terms of risk," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who previously served as a security manager and safety manager at two prisons. "Risk management allows you to assemble threats into some order or importance so the available funds can be used most effectively to prevent and prepare for the identified risks."
Why haven't information security professionals adopted a risk management approach?
"Because it's harder," McCreary says. "It takes more time and effort, and, of course, more knowledge than they have."
1. Target spending on the soft stuff--awareness, education, risk management training--instead of throwing more technology at the problem.
2. Take better advantage of the technology you do have by interpreting the data it generates, not just letting it block attacks.
The Confidence Correlation
Those who are very confident in their security have stronger security infrastructures in place, and they spend more on security as a percentage of their IT budgets.
What the Numbers Mean
Structure and dedicated resources breed confidence. And confidence, experts say, breeds better security. In a sea of data that fails to reveal relationships between security and best practices, the confidence factor is a welcome sight. We can even go so far as to herald the one-quarter of respondents who called themselves "very confident" in their organizations' security as security leaders. That group tends to create far more structure around security within the organization--in other words, making it a discipline and not something that happens as part of the IT group. They hire more security executives and give those executives more control over policy, spending and staffs.
Another key point: The more confident a company is in its security, the less likely the security is controlled by the IT department. Many believe that IT's oversight of information security has been a limiting factor in improving it--that, if the CSO reports through the CIO, it's like having the fox guard the henhouse. If the CIO, for example, controls both the CRM implementation, which he's been told to get done in one year for $2 million, and is also in charge of information security, which will add time and money to that project, to which master does he answer?
At the very least, IT leaders should be self-policing and conducting independent audits of their security practices. But the numbers in that regard don't suggest companies are. About 75 percent of companies don't perform third-party assessments of privacy standards, and 60 percent don't audit security standards. No one indicated that systems were tested for security/policy compliance.
Extracting information security from the IT department overnight may not be wise either, but a good way to start the process of separating the two would be to conduct third-party audits and verification that security isn't getting subverted.
Bill Spernow, former director of IT for the Georgia Student Finance Commission, says the first thing he did when he got his job was to fight for, and win, independence from the IT department. "It's the biggest battle I had there," he says. "If I see a CISO reporting to some IT component, I see a position that's not working, guaranteed. The conflict of interest is just too much to overcome. Having the CISO report to IT, it's a deathblow."
1. Create structure around information security by hiring a CSO or creating an executive security committee.
2. Consider extracting the information security function from the IT department.
Little Bangs Everywhere
Major security breaches are the exception, not the rule. Most security incidents lasted less than a day and cost less than $100,000. And most companies had 10 or fewer such events in the past year.
What the Numbers Mean
Terrorists can shut down the Internet or the power grid. A hacker can take down your whole company. Both plausible headlines--or lines from consultants trying to sell their services--from the past year. But survey data shows that you're not dealing with the Great Chicago Fire. You're dealing with lots of little brush fires.
The question then becomes: Are the little hacks common because you haven't done a good job of protecting your enterprise? Are the big-bang incidents rare because you have? Or are you simply lucky enough to have avoided the big problems but not lucky enough to ward off the smaller incidents?
In any case, you're exposed to the smaller incidents. And Howard Schmidt, vice president and CISO of eBay (and former special adviser to the White House for cyberspace security), thinks the prevalence of little bangs everywhere does not suggest you've done a good job steeling yourself against major attacks. Instead, he sees a severe lack of discipline everywhere.
"If anything, the more you take care of the little stuff, the less likely someone will be able to pull off a big attack," says Schmidt. "I see it all the time. Companies are always pushing, 'Let's just open this one little port.' Then next thing you know they want another port, and another. And that leads to all these vulnerabilities, which turn into little brush fires. No one draws the line and says no. Instead of creating a culture of security, we're often creating a culture of getting around security."
The way technology is designed--based on open architectures--only fosters that kind of shortcut culture.
One of the reasons the culture has centered around side-stepping security is because it's usually a pretty simple thing to do, to open a port, or to allow someone to receive attachments in e-mail. For this, there is no architectural cure.
But the encouraging message buried in Schmidt's commentary is that, to mitigate the problem, little if any additional technology, spending or other resources are really required. All that's required is some discipline--someone to draw the line and say no.
1. Refocus a security program so that it takes into account the smaller, more frequent threats as well as "the sky is falling" threats.
2. Assign a disciplinarian, and vigilantly enforce security rules without exception or variance.
Still Reactive After All These Fears
Despite experts preaching about risk management and treating security proactively, security is still largely justified by fear and government regulation.
What the Numbers Mean
In and of themselves, these numbers won't surprise anyone, and the cynics among us will sniff knowingly. No matter how much preaching we do about making security a contributor to the bottom line, and measuring its return, the discipline is largely too young and unscientific for that. There are some primitive formulas, but none has been widely accepted. It's still easier to rely on scare tactics to justify security investments.
This shouldn't be considered an endorsement of that strategy. According to security experts, CISOs and CSOs should seek any objective calculation of the value of security.
But the numbers do carry some nuances. For example, the low percentage of respondents who take into consideration the security requirements of their partners and vendors suggest that they aren't thinking about security as an external networking problem. Their thinking still focuses on "How will a hacker attack me?" instead of "How will any given hack attack reach me?" Also, partners and vendors aren't demanding of each other that they, in turn, meet certain security levels, which would make interaction safer.
Covenant Health is a perfect example. Covenant Health wasn't attacked, but the Slammer worm still infected the five-hospital network in Knoxville, Tenn. It slithered through a port unknowingly left open to a Covenant service provider. That provider was also infected but not attacked; the worm had infected the service provider through a port left open to one of its partners.
To spin an old caveat: When you connect your network with a partner, you're also connecting to your partner's partners. Yet only 22 percent of the respondents were required by their partners to practice safe business. That seems like the easiest thing in the world to do. Just ask--no, demand--that partners do their part. The fact that so few companies demand it suggests a paralysis of hypocrisy: How can any one company demand that others be safe if it can't, for sure, guarantee that it won't infect its partners. It will take more and more in that vigilant minority who do demand safe business to tip the scales in favor of security over promiscuity.
Covenant Health's former CIO Frank Clark became a part of that vigilant minority after learning the hard way. He demanded partners meet certain security requirements before allowing them to link up to his network. "We made them specify exactly what they wanted access to," he says. "But they, themselves, had a hard time knowing what they wanted access to." By requiring partners to meet higher security standards, he says, they'll require their partners to do the same.
1. Pursue metrics and business justifications for security, and try to wean yourself from using fear factors to justify security investments.
2. Set baseline security requirements for anyone connecting to your network, and force partners and vendors to meet those requirements.
The Per Capita Benchmark
Dividing employees by security budget yields some surprising--and erratic--spending habits. But even here the confidence correlation is clear.
What the Numbers Mean
The per capita security spend--information security budget divided by number of employees--gives you a benchmark with which to compare yourself across industries, regardless of company size. It can also show how spending per employee varies geographically. It's a simple but powerful calculation that will shed some light on a subject that you've been struggling with.
Impulsively, you might use the spectrum to see if your spending is normal. But while there is an overall average spending level ($964), there's nothing "normal" about the range of spending, from as little as $100 per employee to well into the thousands of dollars.
Many factors could account for the broad range of spending. In some industries, the stakes are exponentially higher, even if the personnel requirements are not. An energy utility is a good example, where 72 respondents yielded an average security spend per capita of more than $7,000.
Despite the lack of normalcy, the confidence correlation shows up here too. The confident companies spent nearly two and a half times more per capita than those that lacked confidence, and one and a half times as much as the overall average. (Interestingly, the 6 percent who were unsure of how confident they were spent just $585 per capita, even less than the least confident group).
North American businesses also spent significantly more ($1,200 per capita) than companies in the rest of the world (about $800). That didn't make them any safer, per se. Some argue it proves North American companies are less efficient with their security spending.
In the strangest twist of all, companies that suffered no damages last year spent $684 per capita, less than the average for companies that had suffered damages. Companies with more than a half million in damages spent nearly $1,500 per head. The calculation may be primitive, but security executives are clamoring for any objective numbers they can get their hands on. At the very least, it's a ballpark in which to play.
1. Try the per capita security expenditure calculation in your enterprise.
2. Compare your per capita expenditure to the average in your industry, the very confident and not very confident groups, and the overall average of $964.
Why No One Hits .400 Anymore
The late naturalist Stephen Jay Gould contended that complex systems evolve from wild variation in their youth to relative uniformity in maturity, all the while maintaining an overall constant average in both. To make his point, Gould used baseball. In Full House: The Spread of Excellence from Plato to Darwin, he noted that, throughout the history of the game, the aggregate batting average of major-league hitters has remained constant at about .260, but that there used to be a much higher incidence of .400 hitters than now. Ted Williams was the last player to hit over .400. Prior to that, Ty Cobb and Rogers Hornsby did it three times each.
But no one hits .400 anymore, despite the fact that hitters use better equipment and have access to advanced training technologies. The reason, Gould asserted, is because everything, notably pitching and fielding, has improved around them. When baseball was young, no one knew the best way to pitch or the best strategy for positioning fielders. Over time, data has been analyzed and best practices have emerged. Everyone gets so good at what they do, Gould asserted, that there is less room for deviation from the norm. Indeed, batting averages increasingly vary less and less from the century-old average of .260.
Information security in 2003 is where baseball was in 1922. There's wild variation in how well companies secure their enterprises. But data will accrete, best practices will emerge, information security will normalize, and everyone will move toward the mean.
Until then, however, some companies are Ty Cobb, and many, many others can't bat their weight.