No Time To RelaxNo Time To Relax

As companies weigh advanced security against other IT-intensive projects, many don't see security delivering higher revenue. Security experts say that's why many businesses' spend as little as possible on IT security. Yes, some companies have invested in the latest security gear, such as centrally managed personal firewalls, application firewalls, and security-event monitoring applications. But they're in the minority. "The business guy is asking: 'What's the downside of not spending heavily on security?'" Radianz's Hession says. "Unless you're heavily regulated, you don't have a compelling business driver to spend on security. If you ask people at regulated companies how much they're spending on security, they'll tell you that they're spending the least amount of money possible so the regulators won't shut them down."

Regulation is the fastest-growing reason for security spending--59% cite legal or regulatory requirements as a justification, up from 49% last year. New federal and state regulations, such as the Health Insurance Portability and Accountability Act and California's security-disclosure law, cover the protection of customer information and reporting of security breaches, forcing some businesses to spend more. The only reason cited more often is liability, which at 70% is about the same as last year. Just 41% of survey respondents cite a potential revenue impact as justification, down from 48% last year. About a quarter cite a partner or vendor requirement.

Most companies haven't deployed more-sophisticated security applications outside of basic firewalls and virus-detection software. Only 32% have intrusion-detection systems, 34% have personal or user firewalls, 43% monitor employee Web usage, 30% have application firewalls, and 23% use vulnerability-assessment tools. Those numbers have changed little in the past two years. In addition, only 28% conduct security training for systems and network administrators, and only 23% have a security-awareness campaign, a keystone to any well-designed security program. The number of companies providing security training and conducting security-awareness programs has declined in the past two years, survey results show.

Companies that have spent heavily on advanced security now face the challenge of making those systems work effectively. Firewalls and intrusion-detection systems can generate a flood of alerts and other kinds of data, so the increasingly important task is finding the serious threat among thousands of minor alerts. That's why some buy applications to help them manage their security systems and analyze the data they produce.

Lehman Brothers Holdings Inc. last year deployed Intellitactics Inc.'s Network Security Manager to monitor and correlate security events that occur across the investment bank's systems and applications, which include firewalls, intrusion-detection systems, operating systems, and E-commerce apps. Large companies such as Lehman have dozens of systems that collect and report information about user access to applications, network traffic, potential virus infections, failed logon attempts, and related data. At Lehman, that can amount to as many as 40 million system events a day. "It's hard to analyze that data without getting it together and putting it into one common place where it can be queried easily and efficiently," says Mike Engle, VP of information security at Lehman.

The large volume of security data made it difficult to respond when a Lehman business unit asked for information about something that may have occurred on the network. Engle or his staff had to spend hours searching logs for the answer. "One query I performed on proxy logs took eight hours to complete," he says. Using Addamark Technologies Inc.'s Omnisight to consolidate security- and application-activity logs, Engle says, research that took hours can be completed in minutes.

Whether it's better management or better tools, IT security will always be a balancing act between risk and cost. After several years of fast-growing security budgets, there's a marked change in executives' attitudes--they believe they've at least caught up to the threats that face company networks. "Management is now placing bets that it's better to spend IT dollars on things other than security," Radianz's Hession says. "And there haven't been many events to show that that's a bad bet for most companies."

Of course, that could change if business networks and information systems are successfully attacked and damaged by new, unforeseen threats. An attack that results in crashed systems for a long period of time or the very public theft of confidential customer data could get executives pushing security higher up on the urgent list--and opening their wallets all over again.

Illustration by Richard Downs