“CEOs need to be taking a proactive, aggressive position to ensure their companies have the right skills, technology and risk assessment practices in place to be properly protected.” — Peggy Weigle, chief executive officer of Sanctum.
SANTA CLARA, Calif., Aug. 29, 2002 — The events of Sept. 18 had a stronger impact on IT security spending than those of Sept. 11, according to a study released recently.
The study, released by Sanctum Inc., a provider of Web application security software, found that while 70 percent of the companies interviewed had increased security spending since Sept. 11, the spending increase was primarily driven by the surge of “hybrid worms” such as Nimda, which broke on Sept. 18, 2001, and the requirements of government legislation.
The four most frequently implemented IT security solutions since 9-11 were disaster recovery (50 percent); intrusion detection systems (50 percent); application-level security (40 percent); and network firewalls (20 percent).
This comprehensive survey was based on in-depth interviews with high-level security officers at some of the nation’s largest corporations in financial services, insurance, manufacturing, utilities and government industries.
“CEOs need to be taking a proactive, aggressive position to ensure their companies have the right skills, technology and risk assessment practices in place to be properly protected,” said Peggy Weigle, chief executive officer of Sanctum.
“In every instance where we have seen CEOs provide a corporate mandate to drive security across their Internet infrastructure, something gets done quickly and effectively. This survey indicates that not enough CEOs are getting involved in making these important decisions. In the long run, I believe this is going to have a serious effect on a company’s commitment to all their stakeholders.”
Key findings of the study include:
“- 70 percent of the respondents said 9-11 had minimal impact on IT security strategy and spending.
“What’s different from pre and post 9-11 is the hybrid worms Code Red and Nimda that emerged near the 9-11 physical attacks,” said one respondent, the chief information security officer at a Fortune 500 financial services company. “I believe they were spawned by the same folks that drove jetliners into the buildings. The timing was just too close.”
“The Internet is like an ATM in that customers expect it to be up 24/7,” commented a senior vice president of Internet services group at a top 10 retail bank. “We are still rolling out new Internet projects to grow the medium as an effective sales and information channel. Our IT security spending plan did not change after 9-11 because 9-11 didn’t bring about Internet frauds. Internet security has always been a serious threat.”
“Utility companies never worried about security before. Now the regulatory standards required by FERC (Federal Energy Regulatory Commission) and NERC (North American Electric Reliability Council) are wide sweeping,” said another respondent, a director of security at an electric utility company in California. “A lot of utility companies will start centralizing and building security departments from scratch.”
“- 70 percent of the respondents have increased IT security spending since 9-11, but the tragedy of that day was not the main cause of the increases.
“Although we increased the security spending post 9-11, the security product purchases were not due to 9-11,” commented a technology security manager at a major financial services company. “For security product purchases, timing and priority are bigger factors than the renewed focus on security caused by 9-11.”
“We quadrupled our security spending post 9-11 but most implementations weren’t related to 9-11,” said a director of global security architecture at a Fortune 500 insurance company. “We always had a very strong focus on IT security. However, 9-11 did expedite our disaster recovery planning and asset management system implementation.”
“- 70 percent of the respondents see external Internet security threats as their primary concern.
“Application security is another huge problem for most financial institutions,” said another respondent, a security manager of a bank in California. “Due to GLBA (the Gramm-Leach-Bliley Act), banks have to improve their data security… I think terrorists will take advantage of the vulnerabilities in financial systems and social engineering to transfer money when other roads are blocked.”
“We’re taking a good look into cyber security threats at every possible place, from physical to desktops to routers…” commented a security manager at a telecommunications components manufacturing company.
“If anything were to happen to the Web site, we have procedures in place to isolate and replace the site in under 20 minutes. We are ahead of the game with intrusion protection measures because we have already implemented an application firewall.”
“I do think that 9-11, combined with Nimda, raised the issue that terrorists could combine physical attacks with cyber attacks at the same time,” said a director of global security architecture at a Fortune 500 insurance company.
“- None of the respondents have instituted a corporate security mandate driven by senior management officers.
“I believe establishing a security committee composed of senior-level executives, including CEO, CIO, corporate security officers, auditors and a risk management team is the key to making security a corporate issue, not just an IT issue,” commented a security manager of a bank in California.
“There have been some senior management level directives regarding security, but I wouldn’t call them a true mandate,” said another respondent, a data security team leader at a paper products manufacturing company. “People are paying more attention to security at the higher level but no specific initiatives are taking place as a direct result of that trend.”
About Sanctum, Inc.
Founded in 1997 and headquartered in Santa Clara, Calif., Sanctum, Inc. is the recognized leader for Web application security solutions. Sanctum software solutions provide automatic enforcement of intended business processes, ensuring the protection of core information and data.
By detecting and defending against any unauthorized behavior, Sanctum protects customers against malicious cybercriminal activity — from theft of intellectual property and customer data, to e-commerce fraud and Web site defacement — even if a site has unknown security holes or flaws. Sanctum’s solutions complete a company’s security infrastructure, assure regulatory compliance and create sustainable ROI. Sanctum’s customers include industry leaders in finance, retailing, healthcare, government and telecommunications.
Privately held, Sanctum is funded by blue-chip venture capital firms and industry leaders including Sprout Group, Dell, Gemini Israel Funds, Fidelity Ventures, Wachovia Strategic Ventures Group, Mofet Israel Technology Fund and Walden Israel. For more information, visit www.SanctumInc.com or contact the Company directly at (408) 352-2000.
Source: Sanctum, Inc.