New Enterprise Focus: Building Security Teams
Security spending at most organizations accounts for somewhere between 2% and 20% of the total IT budget, according to Giga Information Group, and more of this money is being spent on personnel.
During the past year, Giga found that organizations appeared to appropriate larger portions of the budget for senior security managers, including chief security officers (CSOs) than before. Spurred by September 11 and a heightened awareness of the need for security, the time of "jungle rules" for security management is at an end.
"To reevaluate the state of internal security, security managers need to understand what skills and salary levels are needed for security personnel, as well as how to structure the entire team," said Giga Vice President Steve Hunt. "How these teams are built depends heavily on the size and complexity of the organization, but most importantly, on the company's risk tolerance."
Giga's research found that CSOs working in financial services earn significantly higher salaries up to $400,000 annually plus bonuses than their counterparts in telecom, utilities and manufacturing.
|Rise of the Chief Security Officer: Even before Sept. 11, many companies were hiring a top executive to oversee their IT security needs, but in the months since the attacks the trend has accelerated.|
CSOs in financial services reporting directly to the CIO make between $125,000 and $270,000, while those reporting to business executives (CFOs, COOs, etc.) may earn as much as $400,000, plus a 15% to 25% bonus. CSOs in telecom, utilities and manufacturing that commonly report to executives two levels below the CIO earn about $70,000 to $90,000 per year, plus a 15% bonus. This is closely matched by CSOs from the science-business sector, where CSOs may earn as much as $100,000 but can expect somewhat smaller bonuses, at 10% to 15%.
According to Hunt, there are three possible outcomes for risk management: Accept the risk, assign the risk or mitigate the risk.
"The extent to which you choose mitigation and the complexity of your IT infrastructure's applications portfolio will ultimately dictate the size and depth of your internal security program," Hunt said. "The tolerance for risk, more than anything else, dictates the resources that will be needed for the security organization."
Large non-tech manufacturers, for example, usually rate themselves as very risk-tolerant, while large banks rate themselves as very risk-intolerant and financial trading institutions, large hosting services and defense contractors usually behave with zero-tolerance for risk. Giga's research shows risk tolerance is getting lower.
"High-profile companies or organizations associated with national infrastructure are lowering their risk tolerance measurably and increasing their security budgets similarly as a result of the current threat climate," Hunt said.
Malicious code infection (also known as a virus) remains the most common security threat. According to the 7th Annual ICSA Labs' Virus Prevalence Survey (ICSA is an independent division of managed security services provider, despite increased spending on security, the rate of malicious code infection continues to rise.
The survey gathered data from 300 companies and government agencies to describe the virus problem in computer networks, including desktop computers. Gantz-Wiley Research, Network Associates, Panda Software and Symantec Corp. sponsored the study.
Among the virus trends the study found taking shape in 2002:
An increase in the number of multiple vector threats similar to Nimda, more worms and viruses will attempt to exploit vulnerabilities in multiple vectors.
The proliferation of host-based threats-worms such as Code Red and Nimda show a trend of malicious code that infect and propagate through Internet host computers.
- The creation and continuation of factors that contribute to rising infection rates. These include new virus types, increased use of multiple e-mail programs, new replication vectors and expanded forms of connectivity.
The survey also found that the average company spends between $100,000 and $1,000,000 in total ramifications per year for desktop-oriented disasters (both hard and soft costs). In addition to being more prevalent, computer viruses were more costly, more destructive and caused more real damage to data and systems than in the past. File corruption and data loss are becoming much more common, although loss of productivity continues to be the major cost associated with a virus disaster.
Organizations are also responding to increased threats by increasing their spending on security software. According to Dataquest, Inc. the worldwide security software market is expected to reach $4.3 billion in 2002, a 18% increase over revenue of $3.6 billion in 2001 (see More IT Dollars Headed to Security).
The telecommunications and communications industries led the way in security spending in 2001. But in 2002, with security a front page issue, government, education, IT and financial services are expected to increase security software spending while telecommunications, communications and services are projected to cut back.
This story was first published on CyberAtlas, an internet.com site.