Perspective: The state of security: It ain't pretty

Wow, what a few months it's been for the information security industry!

In December, Symantec and Veritas Software showed incredible guts by announcing plans to merge into an 800-pound business risk-reduction gorilla. At the same time, Cisco Systems bolstered its security management by grabbing Protego Networks, then proceded to gobble up Airespace in January, making it the secure-wireless king.

Even BMC Software decided that reinforcing its security portfolio made business sense, so it bought Paris-based Calendra to put together a soup-to-nuts identity management offering.

Is there any rest for the weary? No way, Jose. Earnings season is upon us, to be followed quickly by the RSA Conference, which begins on Valentine's Day in San Francisco.

A good number of organizations remain security novices and struggle to provide basic protection.

I can't remember a more highly anticipated security show. Everyone who is anyone in security will be there--vendors, users, investors, analysts, reporters and so on. Heck, even I've already been invited to about 15 cocktail parties, and various and sundry PR people have co-opted my phones, asking me to meet with security start-ups I've never heard of that offer "the next big thing."

Before the whole security world goes entirely ga-ga, allow me to introduce reality into the party. Yeah, I know I'm a buzz killer, but someone has to play that role, and it might as well be me.

The Enterprise Strategy Group (also known as the place where I work) just completed an information security research project, in which we surveyed 251 information technology professionals.

Respondents came from companies of all sizes, though most were from businesses with more than $500 million in revenue. The results suggest that a good number of organizations remain security novices and struggle to provide basic protection.

Here's an example. While 64 percent of respondents said they have a high level of investment in perimeter security, only 39 percent claimed to have a high level of investment in internal network security. Other critical assets like hosts, applications and desktops received even fewer votes.

Note to all those "next big thing" guys: Your customers are still implementing firewalls and filtering gateways.

Another data point: Companies are scared to death of e-mail. When asked to identify which type of traffic they believed is most vulnerable to attack, 46 percent of users fingered e-mail, followed by Web traffic at 22 percent.

Haven't we figured this out yet? The "Melissa" and "I Love You" viruses that propagated via e-mail are 5 years old or more. Not only is e-mail

Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

More Perspectives