Security Leaders Give IT a C+ Grade

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Leaders in the security industry give U.S. companies -- and their ITmanagers -- a passing grade for making some significant security gainsover the last several years.

It's not good enough, however.

Corporate IT managers will have to pick up the pace and implement farbetter security to combat cyber criminals who are far more organized,well-funded and sophisticated than ever before, say industry observers.The threat to corporate networks is escalating at a dramatic rate and ITprofessionals have a daunting job in front of them to beat it back.

''In the last few years, there were some fairly easy things to do toimprove security -- keep patches up-to-date, system monitoring, installfirewalls and anti-virus software,'' says James Lewis, a senior fellow atthe Center for Strategic and International Studies, a non-partisanresearch center based in Washington, D.C. ''Now, we have much moresophisticated threats and cyber criminals. Just doing the basic stuffwon't do it anymore. You have some sophisticated opponents out there whojust won't be deterred by a firewall.''

Security analysts, IT professionals and industry leaders gathered at theRSA Conference last week in San Jose to discuss the state of nationalcyber security. Surprisingly, cyber terrorism wasn't at, or near, the topof their list of threats to the enterprise.

The most dangerous threat today, by far, is cyber crime.

''We haven't had an electronic Pearl Harbor and I don't think we will,''says Lewis, who adds that terrorists want an attack that will lookterrifying on TV, and knocking out networks, however costly, doesn'tprovide that visual. ''People are changing their perspective. It may notbe cyber terrorism that bothers them anymore. They're more worried aboutcyber crime. And they should be.''

IT professionals and corporate executives should be concerned becausecyber criminals simply are far more capable of causing damage than everbefore. And the type of damage they're causing is changing, as well. Longgone are the days when a teenager would hack into a site to crash it orleave digital graffiti. Viruses are generally no longer aimed at crashingcomputers or taking down servers.

Today, it's all about making money. Criminals are using stealthy andhighly targeted Trojans at a greater rate to steal personal, financialand sensitive company information. They're purposefully not crashing thecomputers. They want the machines up and running, enabling them to stealgreater amounts of information.

Hackers, spammers and virus writers have turned professional, and they'reteaming up, selling or sharing botnets and lists of stolen emailaddresses. And organized crime now is in on the game, putting morefinancial backing behind it and expanding the criminal network.

''Just a few years ago, it was some teenager in a garage,'' says Lewis.''Now, it's professionals. They have their own websites, tools and theirown industry. There are people who sit around and dream up new hackingtools and they offer them up for sale or rent on these hackingwebsites... You can rent botnets. You can rent email addresses. There'sfreeware hacking tools. There's been a great growth in this criminalsub-culture.''

IT Earns a C+ Average

Howard Schmidt, former White House security advisor and now president andCEO of R&H Security Consulting LLC., says companies have really steppedup to the plate and dug in behind greater security efforts. And it's madea difference.

''We are making progress,'' he told Datamation in a one-on-oneinterview. ''It's like a really good football game. We may not be scoringa touch down every quarter but we are moving the ball forward. There'sbeen a national movement on cyber security that is making this better.''

Schmidt, who gave corporate IT a C+ grade, says there have been severalincidents that shook corporate executives up enough to loosen the pursestrings and dole out cash and IT staff to upgrade their security. WhileY2K didn't shut down anyone's bank account or send people scurrying totheir well-stocked bunkers, it did make CEOs start thinking about all theinformation sitting on their networks. Add to that fear factor thedistributed denial-of-service attack that hit well-known websites likeCNN back in 2000, and then the arrival of malware like Code Red and Nimdathat hit networks around the world. It all added up to what amounted to awake-up call for information security.

''We've been better about making security part of our operations,'' saysSchmidt. ''Many companies have moved the security function to anexecutive level position. It's a highly visible and valuable positionnow. And the more visibility you get, the more attention will be paid toit.''

During a panel discussion on national cyber security at the conference,Schmidt told the audience that it has been a year since he's had aphishing email in his inbox. And he also noted that it has been two yearssince the industry has had to deal with a major cyber incident. ''We'renot just dumb lucky,'' he says. ''We've worked hard for this.''

But Paul Kurtz, executive director of the Cyber Security IndustryAlliance, a security advocacy group based in Arlington, Va., isn't quiteas upbeat about the industry's position.

''Businesses are starting to understand that information is an asset andthey need to protect it,'' says Kurtz, who also gave corporate IT a C+grade. ''In many cases, they're coming to it a little late and a littlegrudgingly. They've really learned the hard way... Giving them an A or aB would be a huge mistake.''

Read on to find out which sectors stand out in IT security, and how the government's performance was graded.

But Kurtz says that C+ grade doesn't apply across the board. Thefinancial sector is way ahead of the rest of the pack, he says, garneringthem a B+ grade. Strict regulations in the financial sector have helpedto make the difference, he notes.

Lewis agrees, adding that regulations like Sarbanes-Oxley and the HealthInsurance Portability and Accountability Act (HIPAA) have made a bigdifference for many companies, forcing their hands to spend the money andtime to upgrade their information security. At first Lewis gave corporateAmerica a C+ grade for security and then bumped it up to a B or a B-.

The problem, says Lewis, is that good security is too hit-and-miss. Onesector is strong. Others are not. One company is doing a good job. Othersare not. ''When people talk about damages from worms or viruses... somecompanies have experienced losses while competitors have had littleproblems. That's maybe not so good,'' he says. ''The question is how dowe level it off so it's not that some companies are good and some arenot, some agencies are good and some are not?''

And Lewis, who spoke on the same RSA panel as Schmidt last week, wasquick to counter his colleague and say he's not so sure that there hasn'tbeen a 'very damaging cyber incident' in the last few years. ''They mayjust not be well known,'' he added.

What is Government's Role?

Should government be leading the charge for tougher security or should itstick to making suggestions and organizing research committees? Isgovernment helping or not? These questions got mixed answers at theconference.

The National Strategy to Secure Cyber Space, which was released severalyears ago now, was designed to act as a roadmap to implementing bettersecurity and to encourage companies to improve their performance. It'shad a positive influence on the industry, says Schmidt. ''The idea wasnot to mandate but to engage and create awareness that things need to bedone, he adds. ''It was to lay out a high-level concept of what needs tohappen.''

Lewis disagrees, saying the government itself has been slow to engage.

''The government has been pretty irrelevant,'' he says. ''The NationalStrategy to Secure Cyberspace has been useful as a paper weight. It canhold your door open. It didn't ask anyone to do anything... If therewasn't a federal effort, how much worse off would we be? I think theanswer is mixed.''

Andy Purdy, acting director of the National Cyber Security Division atthe Department of Homeland Security, told the RSA panel audience that thegovernment's role is 'not being in charge' but opening up paths ofcommunication between law enforcement, the government, the private sectorand academia.

''We want to move beyond information sharing and move into truecollaboration,'' he said. ''We have to have the ability to detect andrecognize malicious activity, the ability to respond to maliciousactivity, the ability to put out shared information and the ability torecover from significant cyber disruptions.''

Kurtz, who did not sit on the panel but spoke at the conferenceseparately, said there's no time for corporate IT managers to wait aroundfor government agencies or committees to push them in any one direction.Cyber criminals are becoming an increasingly dangerous foe, and IT needsto be strengthening its defenses.

''The industry has a decision to make,'' he said. ''They can wait forgovernment to mandate or they can take steps themselves... A year ago, alot of people said security problems were hype. It was just the tech guysmaking noise and looking for attention. Well, it's not hype. This isserious.''

Submit a Comment

Loading Comments...