CFOs Will Force Accountability

By Kim S. Nash  |  Posted 2004-03-05 Email Print this article Print

The lack of financial analysis wont last forever, if chief financial officers have a say. When evaluating the security costs related to Microsoft or any other vendor, technology managers should ask: How much time do systems administrators spend maintaining patches and monitoring intrusion-detection software? What does that time cost? Does patching take longer than installing a new operating system? If a hack attack has occurred, what time and resources did it take to mop up? How often does this happen each year? One defense against hacks targeted at Microsoft is to diversify operating systems to balance your exposure. Linux generally is a less-expensive alternative that is often viewed— perhaps erroneously—as more secure, says Lobel. The Weather Channel Interactive Inc. runs "a few" Windows servers amid 300 Linux servers and says theres no comparison regarding security, according to Dan Agronow, vice president of technology at the Atlanta company. "The number of vulnerabilities and the time-consuming nature of maintaining patches [in Windows] just doesnt make it," he says.
But rather than run from one system to another hoping to find something impenetrable, the better response, security consultants say, is for corporate customers to acknowledge the worm-a-week syndrome and swallow the responsibility to guard against it themselves.
"Companies need to continue to exert pressure on vendors. But in the same vein, they have to get over the fact that were working with insecure products," says Matthew Caston, consulting director for the enterprise security group at American Management Systems. Castons bottom line? Youre on your own. Caston advocates some basic steps that are often ignored: Install the patches. Buy server operating-system updates. Activate antivirus software. Even those companies with large technology-security departments led by chief security officers dont fully track the security steps theyve taken or the costs of those steps. They cant analyze whether what theyre doing works or if it makes sense to try something new, Caston says.
In the meantime, "users need to willfully take responsibility for doing what the vendor tells you to do," PricewaterhouseCoopers Lobel says. Check out eWEEK.coms Security Center at for security news, views and analysis. Next Page: One option: Disconnecting MS software from the Internet.

Senior Writer
Kim has covered the business of technology for 14 years, doing investigative work and writing about legal issues in the industry, including Microsoft Corp.'s antitrust trial. She has won numerous awards and has a B.S. degree in journalism from Boston University.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel