The War on Spending

Recent attacks in the West Bank, Riyadh and Casablanca may mean the war on terrorism is far from over. But despite those ominous rumblings, technology executives say they have not increased spending on securing their data networks—and are still wrestling with the question of how much to spend.

These are findings of the Project Security: Business Continuity roundtable discussion held May 20 in New York City conducted by Baseline magazine and hosted by Symantec and PricewaterhouseCoopers. The 21 chief information officers and other high-level technology executives participating said a tug-of-war was going on in their hearts—and minds—over whether security is the best object of spending in a time of limited budgets.

For now, these technology executives say support from their business-side counterparts is not the issue. If they need more money for a security project they get it. But that commitment frequently comes at the expense of another project.

Still, “if you don’t take security seriously across the company, you’re doing yourself a disservice,” says Roland Voyages, CIO at Commerzbank Capital Markets.

Robert Schnitzer, vice president of infrastructure at mutual fund firm TIAA-CREF, says security is like life insurance; you don’t know how much you need until disaster strikes.

“There’s been a lot of spending on disaster recovery, but can we all say we’re prepared for another 9/11?” asks Schnitzer. “You think you’re covered, but you never know how much is enough until you get hit.”

Technology executives say that so far their higher-ups have been willing to do whatever is necessary to maintain security. But, if there is not another major terrorist attack for two or more years, spending on security could someday be viewed like the spending binge to prepare for the Year 2000 computer glitch. “Did we overprotect for Y2K?” asks Schnitzer. “We’ll never know.”

Instead of worrying about terrorist attacks, in fact, technology executives are more concerned about the simple security of wireless networks.

With wireless communications gaining grassroots popularity, CIOs are concerned about vulnerability to improperly installed access points, and, thus, intruders over the airwaves. Roundtable participants said to protect their traditional wired networks, they are restricting worker access to wireless networks and establishing firewalls to separate wireless networks from their traditional corporate communications infrastructures.

Swarup Hosakere, a vice president at Bear Stearns, says the best security for his company has been to run and manage his year-and-a-half-old wireless network separately from its internal applications and network.

Hosakere also says he’s in no rush to upgrade to the latest wireless technology because it has a longer range and could bring security problems. When the wireless network was set up, the antennas were tweaked by limiting the power of the signals. After tuning the antennas, the range of the wireless network range was tested by internal staff and by an external firm. The goal: Don’t allow wireless signals to travel past the windowpane. That meant some signals were limited to a range of 20 to 40 feet, well below the range of most home wireless routers.

“If the network reaches outside the building and into the parking lot you could have problems,” says Hosakere.

Other security considerations:

USE INTERNAL TEAMS Donald Cantwell, a New York schools technology vice president, said his construction authority “hired an outside firm and the quality wasn’t as good as our internal audit team.”

MONITOR ALL APPLICATIONS Lou Esposito, chief technology officer of The Rockefeller Group, says he has a “blank check” for a versatile tool that will handle internal and external security audits.