CNET también está disponible en español.

Ir a español

Don't show this again

Security

The state of security: It ain't pretty

On the eve of a highly anticipated security show, Jon Oltsik says the battle against the bad guys is far from over.

Wow, what a few months it's been for the information security industry!

In December, Symantec and Veritas Software showed incredible guts by announcing plans to merge into an 800-pound business risk-reduction gorilla. At the same time, Cisco Systems bolstered its security management by grabbing Protego Networks, then proceded to gobble up Airespace in January, making it the secure-wireless king.

Even BMC Software decided that reinforcing its security portfolio made business sense, so it bought Paris-based Calendra to put together a soup-to-nuts identity management offering.

Is there any rest for the weary? No way, Jose. Earnings season is upon us, to be followed quickly by the RSA Conference, which begins on Valentine's Day in San Francisco.

A good number of organizations remain security novices and struggle to provide basic protection.

I can't remember a more highly anticipated security show. Everyone who is anyone in security will be there--vendors, users, investors, analysts, reporters and so on. Heck, even I've already been invited to about 15 cocktail parties, and various and sundry PR people have co-opted my phones, asking me to meet with security start-ups I've never heard of that offer "the next big thing."

Before the whole security world goes entirely ga-ga, allow me to introduce reality into the party. Yeah, I know I'm a buzz killer, but someone has to play that role, and it might as well be me.

The Enterprise Strategy Group (also known as the place where I work) just completed an information security research project, in which we surveyed 251 information technology professionals.

Respondents came from companies of all sizes, though most were from businesses with more than $500 million in revenue. The results suggest that a good number of organizations remain security novices and struggle to provide basic protection.

Here's an example. While 64 percent of respondents said they have a high level of investment in perimeter security, only 39 percent claimed to have a high level of investment in internal network security. Other critical assets like hosts, applications and desktops received even fewer votes.

Note to all those "next big thing" guys: Your customers are still implementing firewalls and filtering gateways.

Another data point: Companies are scared to death of e-mail. When asked to identify which type of traffic they believed is most vulnerable to attack, 46 percent of users fingered e-mail, followed by Web traffic at 22 percent.

Haven't we figured this out yet? The "Melissa" and "I Love You" viruses that propagated via e-mail are 5 years old or more. Not only is e-mail more dangerous than it was when we were worried about two-digit date codes, but we've added spam and phishing to really make the security guys pull their hair out.

To be fair, there has been progress here. BorderWare Technologies and McAfee have great e-mail security products, but this is definitely an area where we take two steps forward, then one step back.

Worm holes
What about worms? In August 2003, everyone got slammed by MSBlast and Sobig, to the tune of about $4 billion dollars in damage worldwide.

We may have made some progress on worm prevention since then, but the lion's share of companies are still suffering. In our survey, 66 percent of users said their organizations had been impacted by a worm in the last 12 months, and more than half those were hit more than once.

Almost everyone said their businesses suffered financial and operational impact from worms, and 14 percent of users said this impact was severe. Yikes!

I still have visions of security Sisyphus pushing an ever-growing boulder up an ever-steeper hill.

We got tons more data--too much to expound upon here, so I'll do my best to offer a summary. Most users see risk, threats and vulnerabilities all around them but remain confused about which way to turn. Before choosing a technology solution, they labor through about a half dozen disparate product evaluations, adding time and cost to the implementation process while their organizations remain insecure.

The data did show some positive signs. For example, ESG found that companies that have adopted Intrusion Prevention Devices (IPS) said they'd had fewer security problems and voiced a great deal of satisfaction.

Of course, there are also a lot of investment dollars at hand to finance new companies with better mousetraps in time for next year's RSA Conference.

Nevertheless, after analyzing this data for the past month, I still have visions of security Sisyphus pushing an ever-growing boulder up an ever-steeper hill.

I love San Francisco, and RSA is always a blast. It's not just the cocktail parties; it's the opportunity to speak with the brightest minds in our industry and compare notes on what everyone is seeing. This year, however, I'll make sure to curb my enthusiasm and seek out the security professionals in the crowd for a reality check. It won't be hard to do--they'll be the harried-looking men and women constantly on their cell phones in the midst of the industry glitz.