IT investment in security is incommensurate with the emerging threats. Most organizations continue to approach security as if the enemy is the former Soviet Union instead of Al Qaeda. During the cold war our defense posture relied heavily on nuclear deterrence, which meant building deadlier bombs and putting them on payload systems that could incinerate entire cities in a flash. On 9/11 it took only a handful of Islamic crazies to bypass our entire security apparatus, shaking our foundation and nearly bringing the entire country to its knees.
In IT the highest spend continues to be in firewalls and anti-virus software. These are the equivalent of ICBMS swallowing up more and more of the security budget. Both are needed but they don't come close to addressing the new generation of risks. As Adam Muntner of QuietMove notes: "For most organizations -- even some Fortune 1000 companies we work with --- security spending is not even close to be being in line with the risks and threats they are trying to address."
The 5 Big Emerging Threats are:
- Trusted Users and Partners. We are exposing more and more data to more and more "trusted" people without proper monitoring and authorization.
- Web Application Vulnerabilities. According to a Gartner estimate 75 percent of current attacks take place through application vulnerabilities. Most organizations, particularly software developers, remain clueless about application security.
- Missing or Stolen Devices. Enterprise data is now ubiquitous in everything from unencrypted laptops to mobile phones.
- Custom Malware. Signature-based anti-virus systems are completely ineffectual against custom malware. Traditional armies wear identifiable uniforms. Guerillas and terrorists don't.
- Social Engineering. How many of our even "sophisticated" users fall prey to phishing attacks or share their passwords with strangers?
Source: Baseline Magazine, June 2008. "Closing the IT Security Gap."