February 06, 2001, 2:45 PM — Security is in the eye of the beholder. For one company, passwords, a firewall, and an informal security policy is shield enough. A bank might consider the same setup inadequate. Security is inherently a balancing act between comprehensive protection and user convenience. And no system can ever reach absolute security. So we decided to look into the state of InfoWorld readers' corporate security practices and provide a tool for our readers to compare their company's security to what their peers perceive to be "secure enough."
To develop the InfoWorld Security Index, we conducted a survey of 100 InfoWorld readers. These readers were randomly selected, contacted by telephone, and invited to participate in the survey. All participants indicated that they were at least somewhat knowledgeable about their company's security procedures and infrastructure.
For the InfoWorld Security Index, we assigned a point system to answers. Points were based on whether or not the element in question was a part of an enterprise's security infrastructure, but were not based on the perceived importance of a particular security measure. Points were assigned based on the mean answers and were then weighted to a scale of 1 to 100, the higher the number the more comprehensive the security infrastructure. Only those answers which directly indicated the state of a company's security were assigned a value.
Overall, surveyed readers considered their company's security to be "good," with more than half rating their company's security readiness as "good" or "very good." But 32 percent felt their company's security readiness was only "fair" or "poor" -- considerably more than the 10 percent who believed their company fell in the "excellent" range.
A commitment to security can be reflected by the bottom line. A majority of the readers had a specific line in their budget devoted to security expenditures. This number varied greatly, with the average totalling $114,000 annually. Nearly half of the interviewees indicated their organization's annual security spending will increase next year.
One of the more interesting things we discovered is that a great many organization's security policies are not well-established. Eighteen percent indicated their company doesn't even have an unofficial security policy: They were essentially flying by the seat of their pants. A significant chunk of security policies fell into the nebulous area of unofficial, unwritten policy. Not surprisingly, 56.3 percent use "word of mouth" to distribute security policies.