The Security Payoff

Opinion: Investment dollars should be spent on data, not systems.

Is your digital information safer and more secure than it was five years ago? With this weeks fifth anniversary of the Sept. 11, 2001, terrorist attacks, it is certainly an appropriate time to reflect and to inspect the digital security of your information. Id guess that your inspection will reveal progress but still a wide gap between the current state of your digital security and what you would like to achieve.

In the immediate aftermath of the 9/11 attacks, digital security received nearly as much attention as developing a plan for physical security. A national cyber-security director position was created within the Department of Homeland Security, an entire new group of CSOs (chief security officers) blossomed within the private sector and IT security moved from being way down on the list of budget expenditures to a top budget contender.

But that cyber-security directors position remains unfilled (although, as of this writing, eWEEK Senior Writer Wayne Rash reports that the position is about to be filled). CSOs still seem a bit lost in trying to decide where they fit within the corporate hierarchy. And all those dollars spent on security are more than counterbalanced by nearly daily bad news about information theft, smarter computer viruses and digital bad guys worming their way around even the staunchest computer security. It all adds up to a cyber-security environment in which the IT community has been patching holes rather than building security from the ground up.

In those first few years after 9/11, spending outpaced planning. It was somewhat equivalent to the money that went into chasing the dot-com bubble in the late 1990s. No one was really sure how to get a return on spending, but no one wanted to be left behind competitors that were also in a spending frenzy.

However, just as the dot-com spending was necessary to pave the way for the growth of the Googles, eBays and Amazon.coms, security spending was probably also required for a second wave of digital security investment. I believe that second wave is happening now.

The hallmarks of the second wave are built around protecting the information rather than the hardware systems over which the information travels. The lesson from lost laptops and stolen customer data is that digital information is a fluid product that needs to be secured and, most likely, encrypted as it shuttles about networks. Firewalls, virus scanners and network sniffers all have their place in IT security, but it is the loss of data that brings down companies.

Protecting data requires a much more comprehensive approach toward IT security than merely patching holes or warding off viruses. Unfortunately, todays IT administrators continue to be overwhelmed with getting the latest bug fix or operating system patch out to their users rather than finding time to build wide-ranging data protection plans. It is somewhat analogous to airport security managers trying to confiscate pocket knives, scissors and, now, bottled water instead of developing a comprehensive way to identify and detain potential terrorists.

This fifth anniversary of the 9/11 terrorist attacks is a good opportunity to assess the state of your companys cyber-security. Have you been able to spend your budget dollars against a planned security program, or have you found yourself throwing dollars to defend yourself quickly against the latest virus making headlines?

In the past five years, great strides have been made in the hardware required for data security. Data storage is cheaper, virtualization allows a more widely dispersed and efficient use of servers, and network speeds continue to increase. Now it is time to look at the data that travels over those networks as your first priority in cyber-security.

Editorial Director Eric Lundquist can be reached at


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.