Our third annual survey of the SC Magazine readership has pulled in a record number of responses, and provides us with an intriguing snapshot of opinion from information security professionals around the world.
Hundreds of readers from North America, Europe and the Asia-Pacific region have responded, with many of them writing lengthy essays to express the way they feel about their jobs and profession.
Many even expressed their gratitude for the opportunity to voice their views – a sign that many security people still feel they are fighting an uphill battle to be heard in their organizations.
We deliberately asked very open questions, allowing readers to write as much or as little as they liked. And by guaranteeing them anonymity, we think what we got back was an honest and accurate assessment of the industry's state of health.
The answers, which we summarize below, allow us to see just where our readers are feeling the pain, and where they are making progress.
The most notable change since we ran our first end-of-year survey in 2002 is that there seems to be much more support for information security. Two years ago, around half the respondents cited a lack of budget and a lack of commitment from higher management as their biggest challenge.
Since then, the introduction of tough new corporate governance regulation has pinned responsibility for the accuracy and protection of systems firmly on company bosses. If an organization's systems are not properly protected, says the law, its senior managers are the ones who will go to jail. And hey presto, suddenly security is important.
Naturally, the problem has not gone away altogether. In certain sectors, such as government, there are still some readers struggling to get the backing they need to do their job. But compared with 2002, the problem has greatly reduced, to be replaced by a whole range of different challenges.
For most of the respondents, the battle in which they are engaged is still a tough one. Although many said that they were optimistic, they knew they had to be constantly raising their game to beat a whole new range of threats.
If senior management have stopped being too much of a hindrance, then users still have the power to make our readers' blood boil.
One reader, trying to outlaw the use of peer-to-peer networking software in his organization, wrote the following: "Despite several clear, definite notices that installing P2P programs such as Kazaa on our machines would be a cause for immediate termination, we still had people doing this.
"We use a program to scan machines for compliance with corporate policy, and some users thought they could get away with their behavior by installing P2P before each use and then uninstalling it. But we still found them out. The cost in replacing these people was significant, but the several security breaches we experienced were much more costly and will have lasting long-term effects."
Another wrote that his biggest challenge was "keeping insiders on the straight and narrow. Most of our serious security threats are from users abusing their privileges. We experience everything, from out-and-out fraudulent use to surfing the net for personal reasons."
Another worried about "legal liability by users searching, viewing, or surfing unauthorized websites."
Users aside, patch management figures high on the list of problems, and spyware is also clearly becoming a huge challenge that many seemed to think would dominate in 2005.
For others, the need to open up their networks to partners and remote users (through "deperimeterization" and "endpoint security") gave the biggest cause for alarm.
For many, spam continues to cause a lot of work and trouble. As one exasperated reader explained: "Most of the other security problems have technological solutions, and the issue is whether we choose to deploy them, based on their cost and/or their inconvenience compared with risk. However, there does not seem to be a reliable spam filter with zero false positives at any price."
The big surprise (to the SC editorial team at least) was the high proportion of readers who still view viruses as the number one threat. We found this surprising because the anti-virus industry is now well established and co-operates in a mature way to ensure that new virus alerts are shared by all players.
For a high proportion of our readers, however, the virus writers are still one step ahead. One reader wrote of an "exponential increase in viruses and malware exploiting vulnerabilities and ISPs and others who won't clean up systems in their networks."
From another: "There has been a massive increase in attempted virus attacks. None succeeded in penetrating our corporate network, but the greater speed with which some viruses arrived, after we were first notified by anti-virus vendors, was amazing."
And another: "Viruses coming in via email are probably my greatest threat, but I think that the internet will be a bigger distributor in the next year. I also expect attacks against the firewall to increase in sophistication as well as in number."
Another predicted even worse to come, including: "Mutating viruses that will attack data-based devices such as mobiles, and PDAs, since they are completely unprotected at the moment. All devices that can be remotely accessed or controlled would also be at risk.
"Lastly, the more types of connectivity there are (such as Bluetooth), the better the options for attack – from the attacker's view-point."
Some readers cited specific events in 2004 that had caused considerable disruption. One said he had been unable to get rid of MSBlaster, which continued to re-surface on the network.
Another wrote: "Two issues: the crashing of our Exchange Server, coupled with a corrupted backup; the worm infection that took three weeks for IT services to clean up (2,500 machines)."
And another: "Dealing with an internal attack on our Exchange email server that necessitated the isolation of over 80 staff users (five percent of our user base were physically disconnected)."
For a couple of U.S. readers, the source of these problems lay fairly and squarely with foreigners. One blamed his troubles on "hackers, especially ones in the non-western countries," and another named Europe, as "this is where all the new scams and viruses are originating from."
Compliance – good for business?
The readership seemed divided over the impact of new regulations and corporate governance legislation.
One battle-hardened professional summed it up nicely: "The regulations are helping. Prison for executives certainly focuses the mind (and hopefully the resources)."
Some found it "a pain in the neck," however, while others felt they were in good shape to meet compliance standards. Most agreed that it involved more work, and the vast majority complained that they had not received any extra resources to get the job done.
As one reader put it: "The regulations are responsible for making the business wake up and take this stuff seriously, but they are also taxing our resources. We're hoping that additional resources will be forthcoming, however, now that the business is realizing the need."
The Sarbanes-Oxley Act came in for a lot of criticism because it is seen as being too vague, or too bureaucratic.
As one frustrated reader put it: "The job is different – with less emphasis on securing the assets and more resources spent on planning and documenting the process. There is far greater risk of me losing my job because I failed to document my work than because a hacker broke into our network."
So any reasons to be cheerful?
While many readers showed a measure of frustration, the majority of them claimed to be optimistic about the prospects for 2005.
Budgets are expected to barely grow and resources are unlikely to increase, but our readers (most of them) felt they are up to the challenge.
When asked if there were any tools they felt would help them do the job better, there was no common theme. The best solution was to make better use of existing tools, both commercial products and open-source tools.