There's no shortage of burning questions about IT security these days, some sparked by nasty threats, others by economic concerns and some by growing use of social networking and cloud computing.
We spoke to about two dozen experts – IT customers, analysts and vendors – to nail down some answers. What follows is a summary of the questions we addressed. Click on the hyperlinked questions to read more on each topic.
The insider threat has always existed, but in an era of economic upheaval and uncertainty, the problem is only magnified. That point came across in a recent Ponemon Institute survey of 945 individuals who were laid off, fired or quit their jobs during the last year, with 59% admitting to stealing company data and 67% using their former company's confidential information to leverage a new job. So the big question is: How far should IT managers go to protect corporate data?
"There's a balance," says Max Reissmueller, senior manager of IT operations and infrastructure at Pioneer Electronics, in Long Beach, Calif. "I wouldn't want managers coming to me to keep an eye on a particular employee, wondering what they are doing every minute."
A huge debate these days is whether to select a strategic security vendor to provide the majority of security products and services the enterprise might require, or opt to evaluate point products, including those from start-ups, with an eye toward best of breed.
"My tendency is to lean toward a strategic vendor if we can," says Rick Haverty, director of IS infrastructure at the University of Rochester Medical Center, which includes hospitals and medical research centers. But he adds he doesn't yet see the benefit of product integration that choosing a strategic security vendor (in his case Cisco) is supposed to bring, such as common management console.
Automation of security is a concept with momentum this year as some of the larger federal agencies, including the Department of Defense, National Security Agency, Agriculture and Energy, are pushing for a new direction beyond the current FISMA audit mandate for compliance. They want Congress and the Obama Administration to consider adopting the Consensus Audit Guidelines, a set of 20 security technical controls that encourage automation.
But can security processes be automated?
Vendor-sponsored security surveys are a dime a dozen, but that doesn't mean it's easy to ignore their findings. Did you know the number of crimeware-spreading Web sites infecting PCs with password-stealing crimeware reached an all-time high of 31,173 in December, according to the APWG (formerly Anti-Phishing Working Group) coalition? Or that data breach costs rose to $6.6 million per breach last year, up from $6.3 million in 2007, according to the Ponemon Institute? Just how worried should you be about all this?
"Yes, security is one of the concerns about cloud computing that is delaying its adoption," says Eric Mandel, CEO of managed hosting services provider BlackMesh in Herndon, Va. "One of the biggest security concerns about cloud computing is that when you move your information into the cloud, you lose control of it. The cloud gives you access to the data, but you have no way of ensuring no one else has access to the data. How can you protect yourself from a security breach somewhere else in the cloud?"
Security concerns will continue to keep some companies out of the cloud, Mandel acknowledges.
Mobile computing, from laptops to the myriad handheld devices such as smartphones, BlackBerries, iPhones, USB tokens and PDAs, seem to be delivering as many security concerns as overall benefits, IT managers say. Locking down laptops is proving somewhat manageable via a variety of security tools, but smartphones are another matter altogether.
Social networking — whether it be Facebook, MySpace, LinkedIn, YouTube, Twitter or something else — is fast becoming a way of life for millions of people to share information about themselves for personal or business reasons. But it comes with huge risks that range from identity theft to malware infections to the potential for letting reckless remarks damage corporate and personal reputations.
Both IT managers and security experts remain wary of social networking, with many seeing few defenses for its traps besides plain old common sense and some form of antimalware protection. Most say their efforts involve simply educating those about the risks of hanging out on the social networking scene.