Mr. Byrnes asserted that “30 percent of security is technology,” such as monitoring software, but that the remainder rests on human factors and accurate risk assessment. As a result, companies need to focus on establishing security policies, creating processes to protect the most valuable assets and acquiring the technology necessary to protect critical assets.

“Sixty percent to 70 percent of organizations worldwide are doing the wrong things security-wise,” he stated. He noted that companies are looking to automate security processes but are not paying enough attention to human factors and attitudes. “Your worst enemy is a CIO that doesnt understand that security is a necessary investment,” he said.

However, according to Ben Golub, senior vice president, security, payments & managed security services for VeriSign in Mountain View, Calif., attacks on computer systems nearly doubled last year despite $12.6 billion being spent on security. VeriSign is a provider of digital commerce and communication products and services.

Mr. Golub recommended that companies manage their security programs the same as they would financial risk, based on risk versus return. He also advocated bringing in an outside consultant to get an objective view of a companys security capabilities and vulnerabilities.

While some of the high-profile virus problems that have surfaced recently have been linked to vulnerabilities in Microsoft software and the Windows operating system, Carl Elison, senior security architect for Redmond, Wash.-based Microsoft, said, “This is not just a Microsoft problem.”

He conceded that Microsoft is “good at producing cool stuff,” but noted that “security isnt cool.” He pointed to the commitment (only a day earlier) of Bill Gates, Microsofts chairman and chief software architect, to make security the number-one priority at Microsoft.

He noted that Microsoft is developing schedules that will allow software users to keep their patches up to date. The patches would be sent in large “bundles,” thereby requiring less frequent updates, which has less impact on the company.

Mr. Elison also noted that many worms are produced after the patch is released by hackers who study the patch then make the worm. (A worm is a virus that replicates itself by sending itself out to other computers, using the computer systems of its victims.)

Mr. Golub pointed out, however, that even when such a patch is applied, “there is a level of risk that it may not work well with your systems.” He also noted that even with todays firewall technology, companies “cant stop everything” when it comes to attacks. He cited users who take company laptops home and connect to the Internet there as one common security risk.

The solution, he suggested, lies in authenticating the identity of users both inside and outside the company.

Bruce Schneier, chief technology officer and founder of Counterpane Internet Security in Cupertino, Calif., asserted that the more software is “examined” by software engineers or others, the more secure it is. One way this can happen is via “open source”–that is, making source code of a program freely available to the development community.

Mr. Elison noted, however, that open source carries its own security risks, in that the software code can also be examined by potential attackers.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, January 2, 2004. Copyright 2004 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.