Continued from Page 1.

It was nice, however, to see a variety of monitoring activities being done (from audits to monitoring of email and web activity). Only 5 percent claimed that they were not evaluating their security effectiveness.

Tools, of course, are only part of the equation. The other side of this coin is training and awareness.

It is evident that many organizations believe that there isn't enough being done to make employees aware of security. For many companies, the main issue is complexity. While we may try to make things more transparent for the average user, the reality is that we need to explain some of the complexities of what happens in the background (it's not all just magic, you know?).

Awareness and training seems to focus on security policies, network security and security management. This doesn't mean that policies were the main focus. Technologies certainly did round out the rest of the training overall, with cryptology coming in last at 35 percent, which as an aside, makes me wonder about the usefulness of Bachelor's of Information Security that focus solely on cryptology as the basis of the degree.

It's also interesting to note that companies are pulling out of information sharing organizations. The idea of full disclosure seems to be waning for some, probably propelled by the concept of negative publicity. It seems that the primary response to a security breach is to patch the system. The idea of pursuing legal avenues seems still something that isn't widely pursued. Sure, the figures have gone up from last year, but still remains below what was first reported several years ago at 30 percent. The fear of negativity publicity still remains the reason why. And it's not surprising, given recent events in regards to private information violations of late that have resulted in class-action lawsuits. Over three-quarters were well aware of why law enforcement needs to hear it but still preferred to not report it.

Sarbanes-Oxley made an even bigger impact this year with more respondents indicating that it raised the level of interest in security. This Act has probably done more to improve security than most realize. I suspect we'll see even more of a SOX effect next year as organizations continue to get up to speed.

The survey included an open-ended question as to what is the most critical security issue an organization will face over the next couple of years. Viruses and worms only came in at fourth place (and yet, it's the number one form of attack). Data protection and application software vulnerabilities were number one. Not surprising since these are the items that get the most attention.

Perhaps it's time we started breaking our old habits and adopt new ones that addresses issues that really shouldn't be issues. Shouldn't viruses and worms be a passé form of attack in this day and age of robust computing and systems management?

I guess we'll find out next year.

This article was first published on