A five-year industry analysis shows a gradual rise in the number of security incidents, with 34 percent of companies reporting one to five security breaches in 1999 and 47 percent reporting one to five breaches in 2004. Last year, 20 percent of organizations had six to 10 “incidents” and 12 percent had at least 10 or more.
“Every analysis of the security marketplace confirms that kind of trend,” said Stephen Barlock, a partner in Accenture, an international consulting, technology services and outsourcing company headquartered in New York. Barlock was one of several speakers at Fifth Third Bank’s Treasury Management Forum 2005 at Celebration Cinema Tuesday.
“In 2004 a relatively surprising number of companies were affected by security issues. The really alarming statistic is that 22 percent, or one in five companies, actually don’t know or can’t measure whether they’ve had a security incident or not.”
Everyone brings a slightly different point of view to security, he said. CEOs are mostly concerned about security relating to new regulatory compliance issues, such as the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act in the
Nationally, from a financial controls and risk perspective, Sarbanes-Oxley is what’s driving a huge portion of the security market today, Barlock said.
“On a global level, the number of regulations absolutely exploded — almost exponentially — and was probably made worse here in the United States by the fact that there is no single regulatory agency that’s imprinted right now handling security and how organizations have to deal with it.
“I think what we’re going to continue to see — like the trend over the last six to seven years — is increasing regulation around security and financial controls. This picture is going to get a lot worse.”
CFOs, on the other hand, tend to view security as a “cost center” and an “evil” that the business has to invest in.
Business tends to perceive security as a constraint that slows down business processes. That view is coupled with the perception that security issues are caused by technology and can be solved by technology.
Security issues are especially frustrating for IT people because they are growing, but IT security budgets are largely flat and often constitute only 5 percent or less of overall IT spending, Barlock said. The fact that technology is continually changing and evolving only exacerbates the problem.
Another business concern is the password problem. The average number of applications that a typical user has to access via password is about 10 for organizations with 2,000 or fewer employees. That number can reach 25 for organizations with up to 10,000 or more employees.
“The real problem right now from a business perspective is that, flat out, there are just too many systems with passwords,” he explained. “This is a serious problem that companies are having a very hard time struggling with.”
Corporate polices that require frequent changes or complex passwords make matters worse. Regulatory requirements that specify user authentication increase the number of passwords and add to the confusion.
As Barlock noted, more than 50 percent of all enterprise applications are not yet Web-based. Why is that important?
“With Web-based technology there is a much easier path, from a technology point of view, to solving the problem with a single sign-on and have that single password tied to all of the Web applications the user has access to.”
According to Barlock, besides the “basics” of traffic filtering, virus control, and intrusion monitoring and prevention devices, there are three strategies companies can employ to strengthen security.
First, an organization must develop a “complete view” of what information security means: Define the overall security blueprint, how the security framework is structured, what the security governance model looks like, and what it takes to address security issues, he said.
Second, address the regulatory compliance problem with a repeatable process that addresses all compliance holistically rather than on a per-regulation basis.
It’s not enough to set strategy once, he emphasized. It has to be an ongoing process of updating, revising and monitoring risk assessment, policy definition, and processes surrounding privacy and security breaches.
“The message we’re telling the industry right now is that you solve this problem through a holistic compliance program. It turns out there is a lot of overlap in these compliance regulations.”
Third, begin planning for “identity and access management” (I&AM). That involves laying out a single set of business process controls and an integrated architecture to streamline operations, reduce costs and regain control of user access, Barlock explained.
He said I&AM is a big area in the industry presently, and I&AM systems work is being driven primarily by regulatory compliance issues.
I&AM helps a company overcome the challenges of having a variety of users with access to its applications and data and different users having different security and control requirements.
According to Barlock, an organization can maintain security and financial controls by providing individualized security and access rights based on each user’s identity.
“I&AM systems infrastructure provides an absolute audit and log of what every user in your organization had access (to), when they gained access and what they did.”
