Are businesses getting complacent on security?

Security has fallen out of the top 10 business priorities and complacency may be setting in without big attacks grabbing headlines.

That was the message from Gartner security analyst John Pescatore, arguably the best observer in the firm. At the Gartner Symposium/ITxpo, Pescatore raised a host of interesting issues. "We haven't had a major worm outbreak in the last two years," said Pescatore. "And CIOs seem to be feeling safe. Maybe it is safer out there."

Meanwhile, CIOs top priorities are improving business processes, controlling costs and retaining customers. Security fell out of the top 10 priorities.

Pescatore's theory goes something like this: In 2006, a host of data breaches got businesses to shore up security. Now these same businesses are comfortable with their position.

The problem: Enterprises aren't thinking about security for new threats. Indeed, firms may have old threats covered, but it's the new scenarios that carry the big bang.

Pescatore had a list of security items that executives weren't thinking about. Here are two interesting slides in Pescatore's presentation (there's actually a hype cycle chart that makes sense):

Mashups. Enterprises are about to get on the Web 2.0 bandwagon, but aren't thinking through the security implications. "Web 2.0 needs security 101," says Pescatore. "As soon as businesses start using mashups, the security risks increase."

RFID. Readers connected to enterprise resource planning systems and supply chain applications are installed all over. What if an executable file was delivered through a reader? "Enterprises look at the reader software and say it's just a dumb chip," says Pescatore. "What if it's a guy on a laptop pretending to be a chip."

New products and new technology are creating new holes to exploit. "Businesses haven't done the threat modeling," says Pescatore.

Mobile software attacks. The software powering mobile phones is getting less heterogeneous by the minute as Windows Mobile gains market share. That means that the list of potential victims is growing. In addition, people tend to trust files sent via text messaging.

Regulation inspired attacks. Sarbanes Oxley requirements push you to change your password every three months. The rub: That requirement invites phishing attacks. Pescatore notes that phishing attacks can create an internal email address, provide a way to change your password and then run off with corporate data.

The solution to this issue isn't to spend more money, says Pescatore. The real solution is to buy "more secure stuff." That sounds obvious, but how many executives build security into request for proposals (RFPs)? Not many. Pescatore argues that security requirements should be part of any outsourcing or software development deal. In theory, the most secure firms should see declines in security spending just holding vendors to the fire.

"Every time there's a piece of software built there should be evidence of vulnerability testing and the software lifecycle," says Pescatore. "If I buy a shirt, I see it was inspected by checker 27. Where is 27 when I buy software?"