The Register® — Biting the hand that feeds IT

The Register - Taking IT Security to task - Sleepwalking from bad guys to big brother - February 2008

Taking IT Security to task - Sleepwalking from bad guys to big brother

1. ABOUT YOU AND YOUR ORGANISATION

We want to kick off with a few questions about you and your organisation

1.1 What is your level of involvement in IT security? (check all that apply)

I am significantly involved in defining and setting IT security policy
I am significantly involved in reviewing business requirements and defining strategy
I am significantly involved in defining technology requirements and/or selection
I am significantly involved in deploying and/or configuring security products and solutions
None of the above - I just use the stuff

1.2 Have you personally experienced any of the following in the past six months? (check all that apply)

Identity theft - credit card numbers being used without your permission
Viruses or spyware on a computer you use/own
Serious loss of data (e.g. hard disk crash)
Accidental loss of bag, keys or wallet/purse, phone, laptop
Theft of keys or wallet/purse, phone, laptop
Other (please state)

1.3 Who has overall responsibility for IT security in your organisation, in terms of setting policy, and managing the security environment?

 
Policy
Management
CIO/IT Director
Corporate board
Business management
IT management
IT operations
External consultants
Other (please state)

1.4 How important is IT security to the following aspects of your business? (Rank 1-5, where 1 = Not important, 5 = Critical)

 
Not important
1
 
2
 
3
 
4
Critical
5
Continuing day to day operations
Complying with legal requirements or industry regulations
Minimising the financial risks that could result from a security breach
Assuring customer confidence in corporate brand and/or reputation
Protecting data relating to suppliers, customers and other parties
Protecting information around products and services in development
Minimising the potential for information leakage or fraud caused by internal staff

1.5 What is your organisation's general attitude and approach to physical security? (check one)

High security environment - most areas are restricted access
Most areas are secure, with specific exceptions
Most areas are pretty open, with specific exceptions
There are no real restrictions on who can go where

2. TECHNOLOGY IMPLEMENTATION

We now want to set a baseline in terms of what technologies your organisation has implemented, or is planning to implement. We're keen to gauge the level of familiarity too.

2.1 Which of the following security products are deployed or planned within the next year? How familiar are you with them? (1 = not familiar, 5 = very familiar)

 
 
Deployed?
 
Planning?
 
1
 
2
Familiarity
3
 
4
 
5
Antivirus/Antispam
Behavioural analysis and forensics
Content filtering appliance
Firewall
Identity and access management
Intrusion Detection System (IDS)
Intrusion Protection System (IPS)
Network Access Control (NAC)
Security event management
Single sign-on
Virtual Private Network (VPN)
Vulnerability testing
Other (please state)

2.2 Given everything that you have implemented, how well protected do you believe you are against the following? (Rank 1-5, where 1 = poorly protected, 5 = well protected)

 
Poorly protected
1
 
2
 
3
 
4
Well protected
5
External hackers with malicious intent
External annoyances such as spam
Staff inadvertently breaching security
Staff deliberately breaching security
Third parties deliberately breaching security from within the organisation

3. SECURITY POLICY

So how good is your organisation at defining and implementing policy in relation to security?

3.1 Which of these best describes the current state of IT security policy in your organisation? (check one)

We do not have a documented IT security policy
We have a security policy, but it is largely out of date and irrelivant
We have a security policy that is good at some things and bad at others
Our policy is fully comprehensive and was updated recently but is static
Our policy is fully comprehensive, up to date and is 'dynamic' - it changes as we do

3.2 How would you characterise the follwoing? (Rank 1-5, where 1 = very bad, 5 = very good)

 
Very bad
1
 
2
 
3
 
4
Very good
5
The level of security awareness in your organisation
The availablility of trianing with respect to IT security
How seriously IT security is taken by senior business management
How seriously IT security is taken by the general workforce
How seriously IT security is taken by senior IT management
How seriously IT security is taken by IT staff

3.3 How co-ordinated is your IT security function with the business? (check one)

There is no co-ordination between IT and the business
There is some co-ordination between IT and the business
There is significant co-ordination between IT and the business
Not relevant: there is a function that oversees IT security policy and strategy as part of our business

4. THE REAL THREAT - AND WHAT TO DO ABOUT IT

Finally, let's look directly at what's cauaing the problems, and what can be done in real terms about them

4.1 Has your organisation suffered any of the following in the past six months? (tick all that apply)

A Denial of Service attack on the company
Defacement or corruption of website
Loss of corporate information
Theft of corporate equipment
Viral attack affecting significant number of computers
Systems failure resulting in direct business impact (e.g. loss of email for multiple days)
Other (please state)

4.2 What do you feel could have the most impact when it comes to improving IT security in general? (Rank 1-5, where 1 = least effective, 5 = most effective)

Business
Least effective
1
 
2
 
3
 
4
Most effective
5
Better prioritisation of business risks
Better communication of this to IT
Better communication of this to the workforce
IT
Least effective
1
 
2
 
3
 
4
Most effective
5
Better communication with the business
Better implementation of policy according to business requirements
Provide more / better / appropriate training for end users
User
Least effective
1
 
2
 
3
 
4
Most effective
5
Better understand business priorities around security
Apply training received

4.3 What we REALLY need to do is.......
Here's your chance - you're in the pub putting the world to rights - so what's missing here? Tools and products? Training? Strategy? Co-operation? What's the key thing, or things you think should be done in your organisation to make it all work properly from an IT security point of view?

 

5. FINAL TICK AND BASH DEMOGRAPHIC QUESTIONS (To help us with analysis of the results)

5.1 Which of the following best describes your role?

Head of IT function or department
IT project/team leader/manager
IT professional (architecture/design)
IT professional (development/coding)
IT professional (operations/support)
Enterprise architect
Business analyst
Business manager/executive
Business professional
Other (please specify)

5.2 Which part of the world are you based in?

 

5.3 Approximately how large is your organisation in terms of employees?

Fewer than 10 employees
10 to 50 employees
50 to 250 employees
250 to 5,000 employees
5,000 to 50,000 employees
More than 50,000 employees

5.4 Which of the following categories best describes your organisation?

 

THANK YOU!

Many Thanks for your time. Please click the Submit button to send us your answers.