A breaking up of old habits typically happens with a characteristic slowness.
But, when things fall apart - when something terribly unexpected and catastrophic comes to pass - it is possible for changes of less than positive ways to take place with a swiftness not often witnessed.
The collapse of the Twin Towers and ensuing deaths of thousands of innocent people was just such a happening on this day last year. Many in the U.S. and in other countries articulated expectations that all sorts of changes in the way people thought, lived, and worked would occur rather quickly once the initial shock, anger and sadness of the unprecedented event passed.
In the IT security arena, some industry notables postulated that corporations and government entities would begin taking physical and virtual security so seriously that real and comprehensive deployments of long-needed infosec tools and implementation of sound, well-thought-out policies would come to pass with unparalleled speed. Attitudes toward cybersecurity, business continuity, disaster recovery and all things security would change noticeably so as to lead to all-inclusive IT security plans that would enable businesses and governments to immediately detect and respond to the multitude of cyberthreats that plague them on a daily basis. Maybe these long awaited attitude changes and real implementation of infosec strategies would occur with such velocity that some cyberattacks would even be prevented from affecting operations.
Of course, this hoped for revolution in infosecurity thought and action has yet to occur. There is no arguing that attitudes about virtual and physical security have been re-worked in the minds of most people post-9/11, but real action in both the corporate and government worlds is still hard to come by.
"I believe that 9/11 changed attitudes toward security, but mostly physical security. Since the attacks had little to do with network security, most businesses did not make a connection between the attacks and the security of their electronic information," says Jason Wright, industry analyst and program leader of security technologies for Frost & Sullivan. "I have neither predicted nor witnessed a substantial increase in network security market performance since 9/11. Perhaps a few implementations may have been accelerated, but these implementations would likely have come to fruition regardless of whether 9/11 had happened or not."
And, such IT security implementations may have been slowed instead due to lack of funding. Michael Corby, president of QinetiQ Trusted Information Management Inc., says that there were many companies who actually had begun to view a need for such security technologies as IDS or disaster recovery and infosec planning. However, after the terrorist attacks of 9/11, companies began to redirect funds to safety and physical security planning. Largely ignored in the budget, more than a few IT security projects are on the back burner until physical security plans are put in order.
On the flip side, others believe that some action in the area of business continuity can be seen. While "Sept. 11 has changed the way people talk," says Sanjaya Sood, vice president of SchlumbergerSema Cards and Terminals for North America, it also has seen some higher level thinking in regard to continuing business in view of major disasters and disruptions. For about six months after 9/11, company executives began to ask questions about what they really needed to plan for - an action that has resulted now in the completion of concrete plans. It seems, Sood explains, that many organizations have blueprints to move on from here.
Still, he notes, that there has been no "quantum leap" in general infosecurity spending. Yes, he has seen a heightened awareness and focus on policy and methodology planning, but generally little has happened in the way of real IT security deployments.
A Digital Security index recently released by Ernst & Young LLP shows that of the 91 Fortune 500 companies surveyed, only 21 percent have formal digital security policies in place that are being supported by written procedures and guidelines. These and other infosecurity stats gathered to assess approaches taken to security since Sept. 11 show a trend: folks know they need to secure their virtual worlds, but, in the end, have taken little action to do so.
"While there is a renewed awareness of all aspects of security since 9/11, I don't believe there have been significant changes in the security posture of large public and private organizations," says Lynn McNulty of McNulty and Associates in Virginia, U.S. "People are doing what qualifies as an 'acceptable' level of security but not going beyond that. The implementation of security solutions is being squeezed by the economic downturn and is still being viewed as discretionary spending."
So, what is it going to take for companies to make real moves toward securing their IT environments? Some say more government mandates will help organizations see the error of their ways, while others predict that a combined physical and virtual attack of great magnitude will push organizations to see that infosecurity is a requirement.
Whatever the catalyst, all agree that companies - especially those on which countries' critical infrastructures rely, must do more to protect interconnected systems that keep the world operating. Businesses need to focus more on infosecurity planning and supportive technology deployment, understand and share best practices with one another, and coordinate cybersecurity efforts with government sectors. The sooner upper managers accept these facts, the closer the overall Internet infrastructure will be to withstanding a major catastrophe. But, development of such a solid and secure web of networks requires all the players on it to understand and accept their roles. No matter what the cost, the time to break old, tired habits of crying cybersecurity ignorance is now - before things fall apart.
Illena Armstrong is U.S. editor and features editor of SC Magazine (www.scmagazine.com).
