Third Annual Strategic Deployment Survey

Resourceful information security professionals are still getting the job done this year for organizations large and small, in the private, public and nonprofit sectors. But their efforts have been hampered by undersized staffs and underfunded budgets that limit many choices, from what products they buy to what vendors they work with.

For our third annual Secure Enterprise Strategic Deployment Survey, we polled more than 1,500 readers--at every size organization--about their overall security situations and their tactics for dealing with challenges. Our follow-up interviews with security managers provided even more details on the state of information security.

Infosec staffing and budgetary shortfalls aren't new, of course. But what makes the situation

more nerve-racking are the regulatory risks and compliance that falls into infosec's lap, adding cost and work at a time when budgets are growing only moderately, if at all. Case in point: One multibank holding company with 500 employees and assets of almost $2 billion recently implemented monitoring, encryption and intrusion-prevention technologies to assist its adherence to SOX (the Sarbanes-Oxley Act), GLBA (the Gramm-Leach-Bliley Act), the Bank Secrecy Act and HIPAA (the Health Insurance Portability and Accountability Act). But the company's chief information security officer, who asked to remain unidentified, still has a bleak security outlook.

"Our staffing levels are inadequate and have an impact on our ability to maintain systems in accordance with our policies and standards," he says. "This problem won't improve. Hopefully, we can do more automation and less hands-on administration and monitoring. We have done so much for so long with so little, that now we're expected to do the impossible with nothing."

He's not alone in his pessimism. Our survey shows IT security staffing almost unchanged from last year--and, in a word, deficient. Forty-four percent of this year's respondents describe their security groups as moderately understaffed, with 21 percent saying they're severely understaffed. Last year, those numbers were 45 percent and 20 percent, respectively.

"I've yet to meet anyone who has all the staff and money they need," says Peter Clissold, information security manager at the Edmonton Police Service, one of Canada's largest law enforcement agencies. Clissold says his police agency lacks well-segregated IT security roles and doesn't have the staff to carry out demonstrable audit or review exercises. However, he adds, the organization has identified its security gaps and has managed to get support from executives to address those shortfalls.

Clissold is one of the lucky ones. Other security managers see their situations backsliding. "We are drastically understaffed," says the head of security at a U.S.-based semiconductor industry manufacturing facility, who asked that he and his company remain anonymous. "We started out with six people on our IT team and were cut back to two people, and finally ended up with three." His IT group splits its duties, including security, among team members and is on call 24 hours, with most staffers working 10 to 12 hours every day. And he says he considers his IT staffers underpaid for the hours they put in. "I don't see it getting any better, but possibly worse as we again move to cut costs," he says.

How To Deal

Managing expectations is important for handling staffing inadequacy, Clissold says. It's vital to define what should be expected from IT security groups--and what they expect from management--to deliver an expected level of service. Security managers must know their business and be innovative and resourceful. Above all, "we must be skilled communicators and negotiators with those in senior positions," he says.

Being resourceful often means having users take more responsibility for security measures, says Justin Bell, a security specialist at a Wisconsin-based engineering consultancy. Bell's IT staff sends out a monthly security newsletter and e-mail messages that get users to perform some tasks that might normally be handled by IT. During a recent switch from static IP addresses to DHCP, for example, Bell's group took advantage of users' efforts and cut its workload to 30 individual machines from 360.

Linked to frustration about understaffing is concern that not enough IT dollars are earmarked for security. And sometimes, IT security managers say, that translates directly to greater organizational vulnerability.

Our poll shows shrinking numbers of organizations at both the high and low ends of IT security budgets. Significantly, only 16 percent of this year's respondents say less than 1 percent of their IT budget is spent on security, down from 19 percent who made the same claim last year. However, the portion of readers who put their security budget at 16 percent or more of their IT spending shrank as well, down to 7 percent this year from 9 percent last year.

"Budgets are increasing, but they're still a sliver of the overall budget," says Kelly Hansen, CEO of Chicago-based information security consultancy Neohapsis and a columnist for Secure Enterprise.

Thirty-eight percent of respondents say 1 percent to 5 percent of their IT dollars go to security. But our conversations with security professionals indicate that the vast majority aren't satisfied with their budgets--to the point of sometimes feeling helpless.

For Jody Simmonds, IT security architect at the Washington State Department of Health, part of the problem is that her security office doesn't have its own budget. Instead, security must draw money from the agency's network services budget. "Security should have its own budget," she says. "We're at the mercy of another section, and they may have different priorities."

The additional processes that must be put in place to conform with regulations, especially SOX, have security staffs at publicly traded companies doing extra work with the same budget they had before the regulations came into effect. The head of security for a multibillion-dollar automobile manufacturer says his group built a "mathematical risk-assessment framework" consisting of equations that take into account risks, vulnerabilities and security technologies already in place. IT can then assign a numerical value to help it prioritize technology deployments. Moreover, it provides the head of security with a number he can take to management when requesting funding. The company developed the framework, scheduled to go live last month, with the help of two business and security consultancies.

"We'll go to management and say, 'Here's what we think the risk is, here's what we're going to apply, and here's how much we will mitigate it if you put a particular solution in place,' " the security head says. Although he admits there's some subjectivity involved, he believes the framework will help IT when it takes its case to the executives holding the purse strings.

Although Neohapsis' Hansen sees security budgets increasing somewhat, she acknowledges the compliance onus that has fallen on security managers. Moreover, she says, vulnerabilities unrelated to compliance are increasing. External attackers, for instance, "used to be 15-year-old kids, but are now sometimes linked to organized crime." She says she expects cyberattacks to peak as a problem in coming years as the field becomes more professionalized.

Security managers spend the money they have based on a diverse set of drivers, according to the survey. The top five drivers in this year's survey were, in order, improved business practices, auditing regulations, industry standards, security breaches from external sources and legislative regulations. The top five were nearly the same last year, though external security breaches ranked first and improved business practices ranked second in 2004. In both years, the top two were separated by about 3 percentage points.

www.securitypipeline.com/