Despite the fact that more than half the companies surveyed by Network World say they are spending more this year on security than last year, fewer than half say they have done a good job nailing down the security fundamentals.
The Security Buyer's Insights survey was of 274 qualified subscribers, with roughly a third hailing from companies with 10,000 or more employees, a third with 1,000 to 9,999 employees and a third with fewer than 999 workers.
Only 44% of the respondents said they have done a good job documenting network assets, while 52% admitted they need to do a better job. As the old saw goes, you can't manage something - and certainly can't secure it - if you don't know about it.
It gets worse. Asked whether they had determined the vulnerability of network resources, only 38% said they've done a good job of that, and 58% said they need to do better. That means some of the companies that have taken the first step and documented assets have yet to take the next logical step and figure out which of those resources are vulnerable.
But knowing something is vulnerable is of limited value if you don't know how critical that resource is to the business. Here is the grimmest news: Only 25% said they've done a good job of assigning those values, while 46% said they need to do better, and a whopping 26% said they aren't assigning business value to any resources.
Just as you can't manage resources if you don't know about them, you can't adequately secure them if you don't know how vulnerable they are and how critical they are to the operation.
These results render the usefulness of the next two findings questionable: 49% of the respondents said they have security policies in place, and 39% said the policies have been properly explained to employees. Bank tellers might understand the security procedures, but that doesn't mean much if the bank doesn't know how vulnerable the goods are.
Moreover, it is remarkable that in this day and age fewer than 50% of the respondents say they have done a good job putting documented security policies in place.
The survey did turn up one piece of good news: Almost three-quarters of the respondents reported they are conducting security audits. Among those that conduct audits, 5% do them daily, 10% weekly, 21% monthly, 21% annually and 43% randomly.
The survey suggests that, even with the increased attention focused on security, the job is so big and hairy that progress takes time. We hope some of the increased funds dedicated to the cause will help cover some of the fundamentals.