BOSTON—The herd mentality in corporate America that scares executives into choosing the safe path in the middle of the road is one of the major factors holding back the adoption of better security technologies, experts say.
When it comes time to choose security products, many CIOs prefer to stick with easily understood, proven technologies such as firewalls and anti-virus software and avoid deploying more innovative systems like intrusion prevention. This mindset flows from a lack of understanding of whats required to protect a large network, as well as a sense of denial about the threats to enterprises these days.
"Theres a culture within the industry of not wanting to be the leader or the laggard," said Ron Moritz, senior vice president of eTrust Security Solutions at Computer Associates International Inc., in Islandia, N.Y. "Everyone wants to be able to say they did the reasonable and customary thing. But what is that?"
Moritzs comments came at a roundtable discussion of security issues hosted by CA here this week. The assembled group included CA executives, customers and partners.
Although computer security as a discipline has existed for decades, the commercial security industry is considered still in its infancy. Recently, awareness of security risks to information assets has been high, thanks to high-profile events such as the Slammer worm and the government raising the possibility of digital attacks from terrorist groups or even other nations.
But, this awareness ebbs and flows with the news cycle, said Rich Pethia, manager of the Networked Systems Survivability program, part of the Software Engineering Institute at Carnegie Mellon University, in Pittsburgh.
"Its only a matter of time before something like [cyberterrorism] happens. But people only pay attention when theres a big event, so its hard to get them to see the risks," Pethia said at SEIs annual Software Engineering Process Group conference here this week. "The Internet has grown a dark side. And unfortunately, attacks are still relatively easy to perpetrate and hard to trace."
Some experts compare the lack of awareness about the true threats facing enterprise networks to the blissful ignorance of motorists in the 1950s and 1960s who didnt believe seatbelts and other safety measures in cars were necessary. They trusted the automakers to install the appropriate safety features.
"The auto industry fought seatbelts because they were expensive. And were kind of at that point now [with security]," said Mark Doll, partner and Americas director for security services at Ernst & Young LLP, based in New York. "A lot of the Fortune 500 hasnt recognized the risks and are very naïve on the spectrum of things. Theres a deep sense of denial out there right now."
"For a long time, security was an add-on [for cars], and now its like that in the computer industry," Moritz agreed. "That will change. As companies begin to understand the cultural importance of security, it will be raised up in terms of priority."
The lack of interest in security can be seen in the placement of the chief security officer in most corporate organizational charts, said Lester John, assistant vice president of information security at Fleet Securities Inc., a division of FleetBoston Financial Corp., in Boston.
"The CSO is an advisory position to the board right now," John said. "When he gets on the board, thats when security spending will become a reality."
Latest Security News:
Search for more stories by Dennis Fisher.
Find white papers on security.