Who's Responsible?

That's the hypothesis posed by vendor StillSecure, which is releasing today the results of its 2005 Security Management Survey. While I'm generally skeptical about vendor-sponsored research, you might want to consider the findings in the context of your own security customers.

Among other things, the poll of approximately 900 IT and security professionals found that 82 percent of respondents who said they were responsible for security were also responsible for other IT projects, such as networking. Approximately 53 percent said they reported into the IT department, while almost 30 percent of the security professionals answered to someone such as the CFO or CEO.

Even more disturbing, perhaps, is the finding that only 21 percent were working on security full-time. Thus little surprise that more than half of the respondents, 53 percent, said they had too many other business demands to deal effectively with security.

"Most people say the reason they haven't been successful is because they are wearing a lot of hats," says Alan Shimel, chief strategy officer of StillSecure, which is based Louisville, Colo.

Some (including me) would argue that security needs to be considered in a broader context in order to be truly effective. Thus, for example, those of your customers who have centralized security task forces may be inadvertently leaving out valuable input. On the flip side, somone does need to be responsible to actually ensure that anything gets done. "Though it does have to be everyone's job, it has to be someone's job to make sure it's everyone's job," Shimel says.