Last summer, my colleague Mike Vizard wrote an interesting article called "At What Price Security?" that questions the way enterprises approach security in terms of funding and infrastructure. In the article, he pointed out:
Because the vast majority of our security dollars are being spent to maintain the existing infrastructure, we probably don't have enough money on hand to combat new and emerging security threats. It's roughly equivalent to spending all our money maintaining walls while the enemy spends all their time building airplanes to fly over the walls.
The time has come, he added, to re-evaluate enterprise security.
Convincing business leaders that the time has come may be difficult, according to a recently released straw poll of IT security managers conducted by CDW. The IT Threat Straw Poll gives a solid overview of what keeps security personnel awake at night, but the findings might not be enough to convince management to improve security efforts. Of the 200 IT security professionals surveyed, only 17 percent of participants say that nothing at all would convince their companies to invest in higher levels of threat prevention, and 18 percent say that only a significant breach of their systems would compel an escalation in security investment. However, there is a little bit of optimism that executive management understands the business risks: 39 percent of respondents believe that a specific assessment pointing out vulnerabilities in their IT security systems would lead to an increased investment in network protection.
What do security personnel consider to be the biggest threat to the corporate world? Data loss through internal threats, negligence or accidental loss, said 37 percent of respondents. Other top threats include:
Said Doug Eckrote, senior vice president of strategic solutions and services at CDW:
It is troubling to see so many organizations still struggling with preventable threats such as viruses and worms, when the stakes are so much higher from the risks that newer threats pose. It's critical for businesses to secure themselves with the effective, readily available shields against ordinary threats, to free up time and resources for more proactive action against data loss and the rising threats of botnets and malicious, targeted attacks.