What's driving your security strategy?

The results of a recent study suggest that legislation will force a company's hand more than its awareness of security threats. Offer your opinion on this topic and join five TechRepublic members in an ongoing discussion.

By Paul Baldwin

You've seen plenty of examples of why you should take security seriously: reports of customers' credit card information being stolen and sold, denial of service attacks that cripple an organization's Web site or e-mail system, an unencrypted wireless network giving an outsider easy access to the company network.

But a recent study conducted by CIO magazine and PricewaterhouseCoopers suggests recent legislation may be the greatest motivator for U.S. organizations. The results of the study of 7,500 senior information executives, released last month, found that 62 percent of companies will increase security spending this year, up from 50 percent in 2002.

The study—which polled corporate officers in 47 countries and across all industries—found that the top reason for the increase in funding security programs was to satisfy legislation such as the Sarbanes-Oxley Act, which holds executives accountable for their company's disclosures. During the past few years, Sarbanes-Oxley, as well as the Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act, have all required companies to meet minimum levels of security for their systems and the information in their databases.

An article on offered this observation: "Although companies have repeatedly said self-regulation—not legislation—would lead to better security, the survey seems to argue that recent regulations have garnered better results than years of leaving the companies to their own devices."

Do you agree? What's more likely to motivate your company—legislation or an information executive's security stance? We've invited five TechRepublic members to share their experiences and opinions with members and to offer suggestions for your security issues. From today until Nov. 7, you can pose questions, discuss your experiences, or just submit your comments.

Here's a look at the five TechRepublic members who are scheduled to offer their comments:

  1. John Verry is a consultant for the security firm CQUR IT, which specializes in security assessment, protection, detection, and recovery services. He has been a contributing writer for TechRepublic for over a year. His most recent article, "Hacking the hacker: How a consultant shut down a malicious user on a client's FTP server," was the most-read piece of TechRepublic content in August and September.
  2. William Kern performs network administrator duties as a consultant for several manufacturing companies in western Wisconsin. He has been a member of the Midwest Computer Users Group since 1995 and is a CORE Board member/advisor.
  3. Diana Bushong is a systems administrator and a communications lab manager at Texas A&M University. Among her roles are department network admin, computer systems admin, computer instructional lab manager, information technology security officer, information assets inventory officer, and hardware builder/troubleshooter/parts changer.
  4. Jeromey Hannel is a systems administrator for a consulting company in Sioux City, Iowa. Besides administering the company's internal multisite Windows 2000 domain and client networks, he also manages the company's RedHat Linux-based Web servers for its hosting division. He holds a GIAC Certified Security Essentials certification (GSEC) from the SANS Institute and is working toward CISSP.

Join the discussion and tell us what you've seen in your firm and in your clients' organizations.

Editor's Picks

Free Newsletters, In your Inbox