Survey says IT security still maturing as a profession
- By William Jackson
- Jul 27, 2005
LAS VEGAS'IT security professionals wear many hats and answer to many masters, according to a survey released today by network security company StillSecure Inc.
Only one-fifth of those responding reported their organization had a dedicated, full-time security manager or administrator, and a whopping 82 percent said their jobs included a mix of networking and security responsibilities.
Alan Shimel, chief strategy officer for the Louisville, Colo., company, said regulatory pressures appear to be pushing responsibility for IT security out of the IT shop and toward the business side of the house. Although 53 percent of respondents said they answer to their organization's CIO or chief technology officer, 19 percent now answer to the CEO and 10 percent to the chief financial officer.
"It's clearly a trend that the business side is going up," Shimel said. "Security has always been a bit of a redheaded stepchild in the IT world," and it now is being adopted by the business world.
The Security Management Survey, conducted last month by StillSecure, was released at the Black Hat Briefings IT security conference. It is based on responses from 880 IT and security professionals, including 54 in federal government. Another 55 respondents work in state or local government.
Federal regulations such as the Health Insurance Portability and Accountability Act, Sarbanes-Oxley and the Federal Information Security Management Act are placing greater responsibility for IT assurance on company and departmental executives, forcing them to pay more attention to security.
Paradoxically, business demands are listed in the survey as the chief impediment to IT security. More than half of the respondents said requirements to keep systems operational get in the way of implementing and maintaining good security.
Despite organizational challenges, multiple layers of defense are the standard on most networks, the survey showed. Firewalls and antivirus software are almost universally deployed. Most networks are using anti-spam tools, some type of remote access protection such as a virtual private network or a remote access server, intrusion detection systems (IDS), patch management and anti-spyware tools.
Asked about priorities for the coming 12 to 18 months, 27 percent of respondents list IDS and patch management as leading the list, indicating these technologies soon are likely to be as ubiquitous as firewalls and antivirus software. The top priority for another 32 percent of survey respondents was intrusion prevention, which would put IP in 80 percent of networks.
In the wake of a continuous stream of reports on personal data being compromised, Shimel said he expected to see federal regulations this year on securing consumer data. He said this would continue the current trend toward consolidating IT with physical security and making them integral parts of business practices.
William Jackson is a Maryland-based freelance writer.