September 30, 2005 • Volume 3 • Number 10

By Robert Green, Senior Editor

Is IT security as deeply ingrained in organizations as it needs to be? Do IT security people work in dedicated areas or do they “do security” as just one set of tasks among multiple network-related duties? How do most organizations deploy their IT security people? And, what percent are dedicated to security only?

Earlier this year StillSecure, a provider of integrated network security systems, polled responses from about 900 IT security folks to get a reading on the state of the overall IT security/human resources situation today. The survey found that about half (53 percent) of all IT security people remain under the authority of organizational IT departments. Another 29 percent of respondents report directly to CEOs or CFOs in their organizations.

Most tellingly, the survey found that “almost all security professionals (82 percent) are responsible for a mix of networking and security as opposed to one or the other.”

Organizational structures tackling network security vary greatly, according to the survey, with security centralized in a dedicated group in 34 percent of the organizations polled, with only 18 percent saying that security is a component in multiple departments where they work.

Structure not withstanding, 53 percent of all respondents said “the primary inhibitor to effective network security is too many other business demands,” according to StillSecure’s survey report. “Others said that security responsibilities are too distributed (11 percent), security is not a core component of IT (9 percent), and they are only allowed to manage specific areas of the network (8 percent).”

But regardless of who is doing security and where inside the organization, there is tactile evidence that tools are being installed. The survey reveals:

“Most organizations are adopting a layered security approach starting with the perimeter and desktop. Over 60 percent of respondents have already implemented remote access, anti-spam, anti-spyware, intrusion detection, and patch management solutions.

“Technologies that are currently less widely implemented (50 percent adoption rates or below) include intrusion prevention, vulnerability management, endpoint policy compliance, identity management, and SIMs (security information managers).

“When asked to prioritize security initiatives over the next 12-18 months, 32 percent ranked intrusion prevention (IPS) as their top priority. Intrusion detection (IDS) and patch management tied for second at 27 percent each, and anti-spyware ranked third at 23 percent.”

Mitchell Ashley, StillSecure’s CTO, said security integration is a major requirement facing many organizations largely because “very few new security systems replace existing security. Most just add to the portfolio of systems that must be managed.” The upside is that “layered security has clearly taken hold as the best practices approach,” he said.

The downside--?

“The mix is becoming more complex,” Ashley said. “It’s not just a matter of blocking attacks but coordinating actions across security tools and internal IT systems. This means organizations must start automating tasks related to trouble ticket, patch management and other management or administrative tasks that are still very staff-intensive.”

The survey, he noted, reveals that there is no one approach to the organizational deployment of security personnel although Ashley said he believes that dedicated security teams that work across the departments within organizations are likely to be increasingly adopted where they do not already exist.

“The next phase of implementing security is realizing that it is not about technology but about the organizational change in the processes that are needed within the organization,” Ashley said. “The hard part is that security isn’t just limited to the security organization. It reaches out to all the IT administrators, and the organizations outside of IT that might be running their own devices or bringing in new devices that connect to the network. All of this might not require new technology as much as it does coordinated action.”

You can find out more about the survey and StillSecure at www.stillsecure.com.

E-MAIL A FRIEND

Keep A Small Independent Publisher Publishing!
Update Your Subscription Information Now!

For the past three years, we’ve tried our best to bring you articles demonstrating innovation and best practices at work in the public sector.

 Effective Government is dedicated to serving this mission.

Thank you for your support.  But now we need your help. First of all, to make our editorial product better we need to know more about you, such as the types of products and services you use. That way we can tailor our editorial  to more precisely meet your information needs.

In the interests of full disclosure, we also need to know more because we need another type of support – the support of paid sponsors.

We’re small. And to survive we need paid sponsors. And before sponsors will invest in Effective Government, they want to know who they are reaching.

That’s why we're asking you to update your Effective Government subscription by completing the  form (link below).

Yes, we’re asking for some detailed information, but no more than any other publication. It only takes a few minutes to complete and it's FREE.

Please update your information. Then you’ll be sure to get Effective Government 18 times a year with articles that focus on innovation and best practices – stories you won’t find in the mass market government press.

And you'll help keep a small, independent publication publishing.

We have one more important promise!

Effective Government will NOT sell your name to any third party, so they can send you advertising you may not want. All sponsor contact will be under the Effective Government heading.

Thank you.