Print this article | Return to Article | Return to CFO.com
More computers equals more vulnerability, and more spending.
Joseph C. Panettieri, CFO IT
November 17, 2003
It's a classic technology dilemma: businesses know they must protect their computers from devoted hackers and disgruntled employees, but how much is too much?
During the E-business boom, many large organizations—from AOL Time Warner Inc. to Oracle—appointed chief security officers (CSOs) to implement, coordinate, and enforce corporatewide security standards. By 2002 roughly half of all businesses with $1 billion or more in annual revenue had CSOs, according to Booz Allen Hamilton Inc., a McLean, Virginia-based consulting firm.
Still, most small and midsize companies have bucked the CSO trend and instead delegate security responsibilities to their CFOs, according to Communications Network Architects Inc. "The CFO often ends up owning security in most companies because it's part of business policy," says Frank Dzubeck, president of the Washington, D.C.-based consulting firm. "And CFOs, rather than chief information officers and CSOs, have been setting business policies since the Dark Ages."
Regardless of who's calling the shots—CFOs, CIOs, or CSOs—most major businesses will spend plenty of time and money on security in 2004. Gartner says security now accounts for more than 5 percent of IT spending, and nearly two-thirds of all companies plan to spend as much or more on security in 2004 as they did this year. IDC says that such spending will have tripled between 2001 and 2006, reaching $45 billion. Meanwhile, reports of security breaches doubled in the first half of 2003 compared with 2002, which may further galvanize an already robust market.
In addition to the usual lines of defense—corporate firewalls and server-based antivirus software—businesses have begun to take a more "personal" approach to security for the year ahead. The new game plan includes employee handbooks that spell out aggressive security mandates, as well as getting security software onto PCs and notebook computers, not just servers.
This Time, It's Personal
Unlike corporate firewalls—which shield all internal systems—personal firewalls protect corporate notebooks and PCs whether they're networked in the office, at home, on the road, or within a public wireless (Wi-Fi) network.
"It's a security system that goes wherever your notebook goes," says Craig Plunkett, managing principal of CEDX Corp., a networking value-added reseller and service provider in East Northport, New York.
Personal firewall software (about $45 per system) from such companies as Symantec and Network Associates typically works side by side with antivirus software. Gartner now recommends the use of personal firewalls to all of its notebook-toting customers, and for good reason. The Blaster and Sobig.F worm epidemics of 2003 triggered more than $1 billion in damages, ranging from lost productivity to lost sales, says mi2g Ltd., a London-based computer-security firm.
These attacks take advantage of holes in Microsoft products so often that Microsoft CEO Steve Ballmer said last month that security had reached a crisis point. The company has vowed to make several changes, including the way in which it issues security patches for its products.
Microsoft is a victim of its success, says Tom Nolle, president of consulting firm CIMI Corp. "They have the market share," Nolle says, "and mainstream PC users just aren't alert to security issues and won't take the essential steps to keep systems safe."
Personal firewalls and automated notebook security could have slowed the worm outbreaks, experts say. "Today, worms and viruses are causing damage more quickly than those created in the past," warned Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University, during a recent congressional hearing about Internet security.
What's New in 2004
In 2004 expect to see more all-in-one offerings of the sort recently announced by Symantec, Internet Security Systems, and Network Associates, in which firewall, antivirus, antispam, and other functions are combined. Companies are also expected to embrace auditing and systems management software that blocks employees from downloading pirated music and software.
"Unauthorized downloads are a problem at a lot of companies," says Angelo Privetera, CIO of HDR Inc., an architecture and engineering firm in Omaha. "In addition to the ethical considerations, pirated music and software downloads often include viruses and other nasty code." Businesses also are alerting employees about so-called social-engineering techniques, in which hackers impersonate legitimate users and attempt to trick employees into sharing network passwords and other information.
Data-privacy laws, meanwhile, will further complicate the picture, as states impose new regulations that can carry stiff penalties. California raised the bar in this regard with a stringent law that went into effect July 1, one that may be mirrored by impending federal legislation. Keeping corporate data safe will be a time-consuming and expensive agenda item through 2004 and beyond.