Article feb2006.tar

syslog

Along with this February Security issue, Sys Admin is providing a special supplement focused on training and certification. The supplement includes an overview of training and certification vendors and a sample test, which were compiled by Emmett Dulaney, certification columnist for UnixReview.com along with results from the SANS 2005 Salary and Information Security Career Advancement Survey, compiled by Alan Paller.

Secure Enterprise magazine recently conducted their own security-related survey; see: 

http://www.secureenterprisemag.com/showArticle.jhtml?articleID=172302360
According to the article by Ted Kemp, the Third Annual Strategic Deployment Survey, which polled more than 1500 readers, showed that "Resourceful information security professionals are still getting the job done.... But their efforts have been hampered by undersized staffs and underfunded budgets that limit many choices, from what products they buy to what vendors they work with."

To complement the results from the SANS Survey included in our supplement, I'm including some highlights from the Strategic Deployment Survey taken from the Web site. To start, the survey showed "IT security staffing almost unchanged from last year -- and, in a word, deficient. Forty-four percent of this year's respondents described their security groups as moderately understaffed, with 21% saying they're severely understaffed. Last year, those numbers were 45% and 20%, respectively."

When questioned about IT spending, 16% of respondents indicated that less than 1% of their organization's IT budget was allocated for information security, 38% reported 1-5%, 18% reported 6-10%, 7% reported 11-15%, 4% reported 16-20%, 3% reported more than 20%, and 14% were unsure.

Security spending is driven by a variety of factors, with the top five being improved business practices, auditing regulations, industry standards, security breaches from external sources, and legislative regulations.

Methods used to assess risk before making an information security purchase include: assessment of regulatory compliance/noncompliance (61%), input from peers (58%), informal risk analysis (57%), internal audit (49%), penetration testing (44%), input from vendors (40%), and external audit (35%).

Twenty-nine percent of the survey's respondents described their organization's information security structure as a formal dedicated team, and the number of organizations using individuals within IT to carry out security as only a secondary part of their jobs decreased from 40% last year to 35% this year. Also, the number of survey respondents who reported having a formal security policy increased from 57% in 2004 to 67% this year.

When asked to rate the importance of various qualities when choosing a security product, respondents said the leading trait was integration with existing networks. The second and third ranked qualities were performance and high availability. When choosing a vendor, the most highly desired quality was responsiveness to product security problems, followed by vendor reputation. More details from the survey can be found on the Secure Enterprise Web site.

I hope you find this month's articles useful and informative, and if you have suggestions for future coverage, please let me know.

Sincerely yours,

Amber Ankerholz
Editor in Chief