Study: Your Org Chart And Security

A company’s organizational structure is not directly related to security challenges in its network — but too many demands on executives could inhibit effective security, according to a new study.

Security firm StillSecure’s 2005 Security Management Survey polled nearly 900 IT professionals in an examination of how organizational structure may affect how security challenges are addressed.

Although the study found no direct correlation between network security challenges and how an organizational chart is structured, 53 percent said many other business demands are a primary inhibitor to effective network security. “Others said that security responsibilities are too distributed (11 percent), security is not a core component of IT (9 percent), and they are only allowed to manage specific areas of the network (8 percent),” the survey noted.

Responsibility for IT security for the most part still resided within IT departments with 53 percent indicating that they report to a CIO or CTO. However, the survey found that 29 percent directly report to a CFO or CEO, which was larger than expected by StillSecure. Chief strategy officers and legal departments came in at the bottom of the ladder with only 5 percent of reports.

“We expect that the number of security personnel reporting to business administration or corporate security will continue to grow as security groups are increasingly tasked with regulatory compliance and business operations,” Alan Shimel, chief strategy officer at StillSecure, told

The survey found that 82 percent of all security professionals had responsibilities that include both security and networking. Only 34 percent of firms reported having a centralized data group.

“We didn’t expect to see how very decentralized security remains in the
majority of organizations polled, which ranged from SMEs to the largest
enterprises,” Shimel said. “Also, almost all security personnel are
responsible for a mix of networking, security, and keeping the business
operational, which ranked as the number one inhibitor to network security.”

Most respondents have already implemented anti-spam (82 percent), Remote
Access VPN (81 percent), Intrusion detection (69 percent), patch management
(66 percent) and anti-spyware (64 percent) solutions.

Less implemented technologies include intrusion prevention (48 percent),
Network-based vulnerability management (47 percent) and Endpoint policy
compliance (39 percent).

Intrusion prevention (IPS) was ranked by 32 percent of respondents as
being their top security initiative over the next 12 to 18 months.

“From a technology perspective, we were interested to see that there were
many more people who have currently implemented intrusion detection versus
intrusion prevention,” Shimel said. “This speaks to the natural transition
in the market we’re seeing from detection to prevention, with prevention
being ranked as the number one technology respondents plan to deploy in the
coming year and a half.”

News Around the Web