- In the summer of 2004, a survey by the Conference Board revealed that almost 40 percent of respondents consider security an overhead activity that must be minimized.
- The situation appears no better in the public sector. Agencies in the federal government continue to struggle with meeting the requirements of Federal Information Security Management Act (FISMA). In early 2005, the Government Accounting Office (GAO), the investigative arm of Congress, concluded that poor information sharing and management was responsible for exposing homeland security to unacceptable levels of unnecessary risk.
According to PatchLink CEO Sean Moshir, “One of the greatest threats to enterprises today is that many — too many — organizations still consider security the lock they put on the door after the house gets built.”
The result is a tactical approach to security that is:
- Fragmented, because it is implemented in a stove-piped fashion in different departments;
- Manual or minimally automated, because point solutions cannot effectively interact with each other;
- Disjointed, or at least not well integrated with the applications they are meant to protect; and finally;
- Blind, in the sense that is difficult to get a clear, complete and accurate picture of an organization’s security posture.
The firm has documented an instance in which an organization spent $2 million to rush a patch in a telecommunications network that had 500,000 nodes.
“What contributes to these costs? It is the manual labor, the fixing of problems, the downtime for businesses while the patches are being deployed,” explains Phebe Waterfield, Senior Analyst, Security Practice, Yankee Group.
Waterfield confirms that many organizations remain highly reactive in their approach to patch management, and therefore have not developed automated and integrated strategies for making sure that the most current measures are in place within the enterprise to deal with known threats to their IT assets. This contributes to a reactive and expensive approach to security that does not make progress toward the goal of reducing an organization’s risk posture.
A Changing Threat Picture
Malicious hackers, authors of viruses and other sources of threats have become a major cost of doing business in the digital economy. Their handiwork is now covered by the mainstream media as well as the business and technology press. Their destructive impact on the economy is measured in the billions – if not trillions – of dollars.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.