Managing risk is an increasingly important part of the job of CIOs and IT executives. Risk management includes securing corporate systems, networks, and data, ensuring availability of systems and services, planning for disaster recovery and business continuity, complying with government regulations and license agreements, and protecting the organization against an increasing array of threats such as viruses, worms, spyware, and other forms of malware.
IT security staffing has risen again this year in the wake of a continuing onslaught of high-profile ransomware attacks. For many IT organizations, this means it may be time to reassess the adequacy of their IT security staffing levels. In this report, we present the five-year trend in IT security staffing and provide benchmarks for understanding IT security staff headcount: as a percentage of the IT staff and as a percentage of the Network and Communications Group. We also analyze IT security staffing in terms of the number of applications, the number of users, and the number of network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing. (22 pp., 9 fig.) [Research Byte]
Computer Economics research shows that security incident management as a best practice is only moderately mature. Despite the escalation in threat levels over the past few years, many companies are choosing to operate with informal management of security incidents. In this study, we introduce this best practice and look at adoption trends by organization size and sector. We also introduce some providers of security incident management systems and services. (14 pp., 5 fig.) [Research Byte]
Nearly every IT organization has security policies to some extent, but there is often much room for improvement. The fact that so many companies have IT security policies that are not formally established, comprehensive in their scope, or followed consistently is part of the reason that we continue to see little progress against high-profile cyberattacks. In this report, we look at adoption trends and maturity of IT security policies by organization size and sector. We conclude with practical recommendations for IT organizations interested improving their IT security policies. (17 pp., 6 figs.) (14 pp., 5 fig.) [Research Byte]
Although IT security spending as a percentage of the IT budget is flat year over year, the trend has been upward over the past four years. This study establishes benchmarks that enable organizations to assess their spending on IT security software, hardware, and services. The benchmarks include IT security spending as a percentage of the IT budget and IT security spending per user. We examine the four-year trend in these benchmarks as well as variances by organization size and sector. We conclude with recommendations for optimizing IT security costs and ensuring the budget is spent effectively. (19 pp., 10 fig.) [Research Byte]
IT security is a critical area for IT managers, who face increasingly varied threats. The response to these threats has been to bring in some help: 45% of IT organizations are increasing the amount of IT security work that they outsource. In light of the new realities, this report is designed to help IT executives compare their outsourcing activity and experience with other IT organizations. We use three metrics to measure IT security outsourcing activity: how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work outsourced (trend). We also measure the cost and service experience of organizations that outsource this function, and determine how outsourcing activity and experience vary by organization size and sector. (17pp., 8 fig.) [Research Byte]
A comprehensive business continuity plan is one that ensures that the business itself will survive in the event of a disruption, with key business functions re-established. Nevertheless, far too few business leaders understand the importance of this exercise. In this report, we define what a business continuity plan should contain and look at adoption trends by organization size and sector. We also discuss the steps that IT leaders should take to create and maintain a business continuity plan. (16 pp., 6 fig.) [Research Byte]
As recent outages demonstrate, the ability to recover operations quickly and effectively after a disaster should be an organizational priority. However, too few companies are planning for disaster recovery formally and consistently. In this study, we first look at adoption trends for disaster recovery planning by organization size and sector. We also discuss the elements that every disaster recovery plan should contain, and steps IT organizations should take in establishing such plans. (16 pp., 6 fig.) [Research Byte]
Too many companies are failing when it comes to following best practices to prevent security incidents. An IT security compliance audit is one such best practice. Although many organizations do audit security compliance, not enough of them are doing so formally and consistently. In this report, we first look at adoption trends for IT security compliance audits by organization size and sector. We also discuss the steps an IT organization should take to implement such audits. Finally, we provide recommendations for monitoring the success of security audits. (16 pp. 6 figs.) [Research Byte]
Because information technology plays a significant role in the support and function of nearly all business operations, it is essential that IT organizations be able to quickly restore services after a disaster or any disruption. This report analyzes the percentage of organizations outsourcing disaster recovery capabilities (frequency), the scope of work outsourced (level), and the change in the amount of work being outsourced (trend). We also present success rates for the cost and service experience and show how these trends differ by organization size and sector. We discuss the elements that every disaster recovery plan should contain as well. (18 pp., 9 fig.) [Research Byte]
The ability to recover from scheduled or unscheduled downtime is becoming more affordable due to an increasing number of disaster-recovery-as-a-service (DRaaS) providers. Over the past 18 months, the number and scope of DRaaS options has grown, and more managed service providers are building out cloud-based disaster recovery service operations with varying costs and capabilities. This report covers the key components of a DRaaS solution, the advantages and disadvantages of cloud-based disaster recovery, and key vendors in this growing market. (11 pp., 4 fig.) [Research Byte]
Too often, disaster recovery is simply an information-technology-led exercise. There is a growing recognition, however, that contingency planning needs to go beyond recovery of IT systems to become a business-led process that prepares the organization for many forms of disruption and ensures that the business itself—not just the IT systems—will continue uninterrupted. This report provides practical guidance on best practices for business continuity planning. (11 pp., 2 fig.) [Research Byte]
How much should an IT organization be spending on its disaster recovery efforts? In this study, we look at disaster recovery spending per user, per server, and as a percentage of the IT operational budget. We also examine differences in disaster recovery spending by organizational size and sector. Finally, we assess how many organizations are periodically testing their disaster recovery plans, a best practice that is all too often ignored. The metrics provided in this report can be used to benchmark an organization’s disaster recovery spending and testing practices against industry standards. (15 pp., 10 figs.) [Research Byte]
This special report, based on our survey of IT security professionals and executives worldwide, analyzes malicious insider threats to businesses. Basic categories of malicious threats include accessing confidential information without authorization, disclosing confidential information, executing fraudulent transactions, and sabotage of the organization’s systems, network, or data. For each of these four categories of threat, we present data concerning the perceived seriousness of the threat and actual incidents and risks of each type. We then analyze the popularity of various methods for preventing, countering, and detecting incidents of malicious insider activity. (47 pp., 27 figs.) [Extended Description] [Research Byte]
Public health authorities warn risks of a pandemic are growing in light of the swine flu outbreak and avian flu cases. Because pandemics are fundamentally different from the disasters commonly envisioned in business continuity plans, most IT organizations are not prepared to face this threat. This updated report outlines the specific ways in which pandemics are different from other types of disasters. It suggests three planning scenarios, and it outlines specific actions that IT risk managers should consider to prepare for a potential flu pandemic. If adequately prepared, the IT group will be able to continue to support critical business functions, and it can provide solutions to help the organization get through a pandemic. (12 pp., 1 fig.) [Executive Summary]
This special report, based on our survey of IT security professionals and executives worldwide, analyzes the threat of insider misuse of computing resources--that is, any violation of an organization's policies regarding acceptable use. Examples include unauthorized file copying; downloading of software, music, or other media; P2P file-sharing; rogue remote access programs, modems, and wireless access points; misuse of business or personal email; instant messaging; blogging and posting to message boards; and personal web surfing. For each of these types of insider misuse, we present data concerning the perceived seriousness of the threat, typical organizational policies or lack thereof, frequency of violations against company policy, analysis of preventive and detective actions taken by organizations to deter the misuse, and typical levels of enforcement. (77 pp., 75 figs.) [Extended Description] [Executive Summary]
An important method for improving the security of software is to assess and minimize the system's "attack surface." In this report, we provide a conceptual understanding of attack surfaces and explore how to use this concept to improve security of both internally-developed software as well as systems purchased as off-the-shelf software. We conclude by recommending best practices for limiting attack opportunities on IT systems. (4 pp., 2 figs.) [Executive Summary]
How much business continuity spending is appropriate for the level of risk an organization is willing to accept? In this study, we look at average spending on business continuity as a percentage of the IT budget. Because risks and compliance issues can vary widely from sector to sector, we break down spending by industry to provide more targeted metrics. We also analyze spending by organizational size and look at the change in spending levels from 2006 to 2007. Finally, we investigate how organizations rank disaster recovery improvements as a budgetary priority. (4 pp., 5 figs.) [Executive Summary]
Organizations today must comply with a greater number of regulations than ever before, many of which deal with information and system security. While the intent of these regulations is good, their proliferation is burdensome. Even more troubling, it is possible to be compliant but not secure. Based on our survey of 100 security, IT, and compliance professionals, this article proposes four principles for establishing a security program that goes beyond regulatory compliance. (5 pp., 6 figs.) [Executive Summary]
Vulnerabilities are often introduced into an organization when changes are made to its technology, business processes, or facilities. Therefore, security should be an important element of project management, to ensure that the security implications of these changes are addressed. However, a recent survey by Computer Economics suggests that executives have not adequately integrated their security and project management functions. This article presents the results of our survey on the role of security in project management. Additionally, we review the positive impact that security can have on project management practices. (5 pp., 9 figs.) [Executive Summary]
This article investigates the current crisis in data center power and cooling and provides recommendations for resolving it. It provides forecasts of computer power usage and energy costs and identifies the sources of demand for power in the data center. Unfortunately, common practices of data center managers often worsen the problem. Finally, we outline new approaches that organizations can take to gain control over power and cooling requirements. (3 pp., 2 figs.) [Executive Summary]
Username and password pairs as authentication factors are as weak as they are ubiquitous. They can be phished, stolen, discovered, and cracked in a number of ways. Use of a single factor of authentication is so weak that the Federal Financial Institutions Examination Council (FFIEC) is requiring that all online banking services adopt multi-factor authentication by the end of 2006. In light of these needs, a technique known as keystroke dynamics (or, typing dynamics) is emerging as an effective way to strengthen user authentication. This special report provides scenarios that illustrate the application of keystroke dynamics. We then present a probability model that can be used to analyze the security benefits of multi-factor authentication. Finally, we present an economic analysis of the financial benefits of keystroke dynamics. (8 pp., 5 figs.) [Executive Summary]
Are we winning the battle against spam? This report, based on a survey of over 100 IT managers, email/security professionals, and end-users finds that perceptions differ between these groups. Furthermore, experiences differ according to the choice of four types of spam-blocking products: third-party spam-blocking services, server-based anti-spam software, client-based spam-filters, and antispam appliances. The survey also explored the reasons that executive management approve spam-fighting technology. (8 pp., 9 figs.) [Executive Summary]
According to our research, laptop computers comprise about one-third of all personal computers in U.S. and Canadian businesses, and most of them include wireless communications capabilities. But according to data from our 2006 IT Security Study, many IT organizations fail to grasp many of the easier concepts and configurations that are available to secure wireless networks. This article quantifies the adoption rate for two public wireless security standards (WEP and WPA) and breaks down the analysis by organizational size (based on the number of laptops supported.) The article also includes practical recommendations for securing wireless networks and itemizes the reasons that organizations should upgrade to the WPA standard as soon as possible.
A formal data classification scheme is fundamental to information security. Yet, many organizations--even those that profess a commitment to protecting company and customer information--fail to implement data classification. This article looks at the reasons that data classification can be difficult to develop and implement in practice and offers several practical guidelines to overcome these obstacles.
Although IT professionals usually adhere to strict security guidelines when dealing with user systems, they sometimes drop their guard when the implement systems and procedures in the data center itself. This article highlights the security weaknesses that can be created by such administrative procedures and outlines common sense management practices that can close such back door vulnerabilities.
Phishing attacks are growing in number and in technical sophistication. Furthermore, the impact of these incidents is increasing, with a significant portion in the form of pharming attacks, the newest and most deadly form of phishing. This article explains the evolution of phishing attacks and outlines the countermeasures that organizations need to defend effectively against them (9 pp., 2 figs.)
Katrina exposed a weakness in the disaster recovery plans of many organizations. In addition to providing a secondary data center to recover critical IT business systems, companies must also plan to relocate key IT support personnel and key users to administer those systems. This article outlines key considerations in preparing for a Katrina-level disaster and provides updated guidelines for the safe distance and location of the recovery data center. (5 pp., 1 fig.) [Executive Summary]
The U.S. federal government and private industry have developed new guidelines that can be helpful in deciding the optimal distance between the data center and its recovery site. Based on various studies conducted over the past few years, it is clear that the placement of a recovery site too far away from the main data center can be as much of a problem as placing it too close. This research report provides guidelines for the optimal distance.
The increasing threat of security intrusions has failed to motivate many organizations to take the steps necessary to protect their software, hardware, and data. Clearly the increase in these incidents shows a growing sophistication on the part of those that launch these attacks. The problem is however, exacerbated by organizations failing to adopt prudent measures that would either prevent intrusions or mitigate their impact. This article highlights the extent of security intrusions in surveyed companies by point of entry and by type, and it documents the extent to which the same companies are not implementing common security measures to defend against such attacks. (7 pp., 6 figs.)
To find articles on other topics, simply use the search field in the header area of each page.