CFOs Will Force Accountability

The lack of financial analysis wont last forever, if chief financial officers have a say. When evaluating the security costs related to Microsoft or any other vendor, technology managers should ask: How much time do systems administrators spend maintaining patches and monitoring intrusion-detection software? What does that time cost? Does patching take longer than installing a new operating system? If a hack attack has occurred, what time and resources did it take to mop up? How often does this happen each year? One defense against hacks targeted at Microsoft is to diversify operating systems to balance your exposure. Linux generally is a less-expensive alternative that is often viewed— perhaps erroneously—as more secure, says Lobel. The Weather Channel Interactive Inc. runs "a few" Windows servers amid 300 Linux servers and says theres no comparison regarding security, according to Dan Agronow, vice president of technology at the Atlanta company. "The number of vulnerabilities and the time-consuming nature of maintaining patches [in Windows] just doesnt make it," he says.
But rather than run from one system to another hoping to find something impenetrable, the better response, security consultants say, is for corporate customers to acknowledge the worm-a-week syndrome and swallow the responsibility to guard against it themselves. "Companies need to continue to exert pressure on vendors. But in the same vein, they have to get over the fact that were working with insecure products," says Matthew Caston, consulting director for the enterprise security group at American Management Systems. Castons bottom line? Youre on your own. Caston advocates some basic steps that are often ignored: Install the patches. Buy server operating-system updates. Activate antivirus software. Even those companies with large technology-security departments led by chief security officers dont fully track the security steps theyve taken or the costs of those steps. They cant analyze whether what theyre doing works or if it makes sense to try something new, Caston says. In the meantime, "users need to willfully take responsibility for doing what the vendor tells you to do," PricewaterhouseCoopers Lobel says. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Next Page: One option: Disconnecting MS software from the Internet.