Continued from Page 1.

Security Training

One question that CSI should consider asking is what kind of training is being done. Defining the training types might help explain some of the figures for the cost of training. Training lags behind other aspects of security expenditures but it would have a far greater impact than say a firewall or IDS. When training is a mere $18 per employee (for companies earning over $1 billion), I question how many employees are actually getting trained and what the training encompasses. For instance, was it a short lecture on confidentiality when they were hired or a few days worth of intensive training by a professional?

The other question would be: are some of the smaller businesses realizing the importance and finally spending on security training to protect themselves? Initial capital outlay is often the biggest expense for security. It would be interesting to see how this trend goes over the next few years to see if it drops for the smaller companies over time. We should see an overall leveling in regards to training over time because at some point the cost will account for refresher courses rather than from scratch.

Security's Effect on the Bottom Line

How companies define security — in relation to Return on Investment (ROI), Net Present Value (NPV) and Internal Rate of Return (IRR) — shows that ROI went up 4 percent after dropping last year to 38 percent. Security is likely still seen as an expense and largely still based on ROI. And it leads me to believe that a lot of security is still done as a reactive measure rather than a proactive one. Once companies do take a proactive response to security we'll see a lot fewer simple attacks succeeding.

It was heartening to note that security is rarely outsourced. Well over half of the respondents said that they didn't outsource security, although this is a 2 percent drop from previous years. It does mean that those that are concerned about security for the company are aware of how the company works. It is evident that security is an IT function that is important enough to keep in-house rather than trusting an outsider to fiddle with.

One interesting question was the one of hiring a reformed "hacker" (let's call them what they are – malicious attackers) and more than 85 percent said no. This would mean that the hiring of virus writers and famed-formerly-jailed attackers are rare occurrences and we shouldn't assume them the norm when the media yaps about them.

The last financial issue is the question of cybersecurity insurance. You'd think that since we saw things like Katrina and other natural disasters along with some heavy-duty lawsuits over information breaches that more companies would look into insurance but the majority, nearly 75 percent, of the respondents said no to cyber-insurance. It appears that companies are willing to accept risk and deal with it rather than make a monthly payment.

It doesn't have to be an all-or-nothing proposition. Much like the fire alarms that alert you to potential dangers and the home insurance you have in case the fire department can't stop the fire, companies should invest in some sort of data protection from cyberthreats.

In the part 2 of this article, I'll look at where the attacks were coming from, old habits and more.

This article was first published on