2006 may have been a wash in terms of overall computer security, but if you’re banking on status quo in 2007, chances are your budget won’t have the right mix. And if there’s one area you’re sure to come up short in this year, it’s information protection.
“The problem of data encryption is significantly more complex than most people want to talk about,” says the CSO of a Fortune 100 company, who prefers to remain anonymous. “Data is all over the place, unidentified, and comingled. You’ve got employee personal mobile devices or home machines holding confidential information against corporate policy that you don’t even know about. I’ve talked to many other IT security leaders in companies the same size as ours, and they all tell me that protecting data is one of the most significant challenges they face. Whatever the solution is it will be expensive and not cover everything.”
Dennis Hoffman, vice president of enterprise solutions at RSA, agrees. “Management is waking up to the fact that IT security is the poster child of TCO mismanagement,” he says. “For too long the focus has been infrastructure-focused when it should have been information-focused. Most IT leaders don’t know where all their information is, and if you don’t even know where it is, you can’t manage it.”
Consolidation is one big-picture solution for which companies may not be budgeting enough this year. “We are talking server consolidation, data consolidation, fewer datacenters, and virtualization,” Hoffman says. “It’s much easier to manage the information coming out of three datacenters than 23.”
Patch management is another area where companies may not spend enough in 2007. According to experts at Symantec, the average number of days after an exploit is announced until the patch is released is 31 days, and the average number of days from the day an exploit is announced until malware is released is 3 days, leaving an exposure gap of 28 days.
A full 35 percent of machines contain known app vulnerabilities, according to a recent test by Secunia. Microsoft Automatic Updates appears to be working; other apps, however, need patching help. Firefox, for example, was unpatched more than 30 percent of the time. And more than 50 percent of Adobe users were running vulnerable versions. Put together a comprehensive patch management plan and stick to it.
But when it comes to securing the enterprise, knowing where to place your bets is delicate business.
“We’ve got some big gaps that we are trying to close,” the Fortune 100 CSO says. “Every year we try to do a new risk assessment, and make sure we are allocating resources where they are needed.”
The stakes are high. Whatever you do, don’t be among those who will underinvest this year in risk assessment.