The War on Spending

Technology executives struggle with security. The problem: they won't know how much to spend on it-until it's too late.

Recent attacks in the West Bank, Riyadh and Casablanca may mean the war on terrorism is far from over. But despite those ominous rumblings, technology executives say they have not increased spending on securing their data networks—and are still wrestling with the question of how much to spend.

These are findings of the Project Security: Business Continuity roundtable discussion held May 20 in New York City conducted by Baseline magazine and hosted by Symantec and PricewaterhouseCoopers. The 21 chief information officers and other high-level technology executives participating said a tug-of-war was going on in their hearts—and minds—over whether security is the best object of spending in a time of limited budgets.

For now, these technology executives say support from their business-side counterparts is not the issue. If they need more money for a security project they get it. But that commitment frequently comes at the expense of another project.

Still, "if you dont take security seriously across the company, youre doing yourself a disservice," says Roland Voyages, CIO at Commerzbank Capital Markets.

Robert Schnitzer, vice president of infrastructure at mutual fund firm TIAA-CREF, says security is like life insurance; you dont know how much you need until disaster strikes.

"Theres been a lot of spending on disaster recovery, but can we all say were prepared for another 9/11?" asks Schnitzer. "You think youre covered, but you never know how much is enough until you get hit."

Technology executives say that so far their higher-ups have been willing to do whatever is necessary to maintain security. But, if there is not another major terrorist attack for two or more years, spending on security could someday be viewed like the spending binge to prepare for the Year 2000 computer glitch. "Did we overprotect for Y2K?" asks Schnitzer. "Well never know."

Instead of worrying about terrorist attacks, in fact, technology executives are more concerned about the simple security of wireless networks.

With wireless communications gaining grassroots popularity, CIOs are concerned about vulnerability to improperly installed access points, and, thus, intruders over the airwaves. Roundtable participants said to protect their traditional wired networks, they are restricting worker access to wireless networks and establishing firewalls to separate wireless networks from their traditional corporate communications infrastructures.

Swarup Hosakere, a vice president at Bear Stearns, says the best security for his company has been to run and manage his year-and-a-half-old wireless network separately from its internal applications and network.

Hosakere also says hes in no rush to upgrade to the latest wireless technology because it has a longer range and could bring security problems. When the wireless network was set up, the antennas were tweaked by limiting the power of the signals. After tuning the antennas, the range of the wireless network range was tested by internal staff and by an external firm. The goal: Dont allow wireless signals to travel past the windowpane. That meant some signals were limited to a range of 20 to 40 feet, well below the range of most home wireless routers.

"If the network reaches outside the building and into the parking lot you could have problems," says Hosakere.

Other security considerations:

USE INTERNAL TEAMS Donald Cantwell, a New York schools technology vice president, said his construction authority "hired an outside firm and the quality wasnt as good as our internal audit team."

MONITOR ALL APPLICATIONS Lou Esposito, chief technology officer of The Rockefeller Group, says he has a "blank check" for a versatile tool that will handle internal and external security audits.