IT security seems to have fallen out of the public eye.
Two years ago it was the number one concern of CIOs and even some CEOs. But a sampling of recent vendor offerings and the tech press suggest that other issues, like saving energy, virtualization and the recession, have the attention of enterprise IT groups.
Yet if there's not the same anxiety, IT vulnerabilities are still there. Phishing caused an estimated $3.2 billion in losses in the US in 2007, according to a Gartner estimate.
Thieves are getting smarter, too. The US Internet Crime Complaint Center (IC3) reported $237 million in actual cyber-crime losses in 2007, up 20% over 2006. The number of complaints is actually falling - down 11% from 2005 - apparently because crooks don't want to risk a jail term for a few bucks; they're instead stealing more money from fewer victims.
For corporate IT systems, VoIP is emerging as a critical vulnerability. A VoIP security vendor, VoIP Shield, raised the alarm in a recent study, claiming to have identified 100 security flaws in gear from top VoIP playersf Avaya, Cisco and Nortel.
You'd expect that from a vendor, but Gartner's research director for networking and communications equipment, Laurence Orans, agrees. He says CIOs and CSOs have been lulled into a false sense of security by the small number of attacks, and most firms
don't have adequate protection for their converged networks.
Awareness
As IP telephony grows, it's inevitable that "targeted and possibly broad-based attacks will become more frequent," he said.
For all that, I do think that what has developed in the past few years is a security awareness, similar to road safety awareness, and that is one reason why security problems are less in the public eye.
But we're still some way short of what Bruce Schneier, security guru and founder of CounterPane, calls a security mindset.
Schneier blogged recently in praise of a university course that aims to inculcate just that. Students record their experiences probing the vulnerabilities of daily life - not necessarily tech-related issues, but mundane items like traffic lights or dorm security.
"The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols," Schneier writes. "The designers are so busy making these systems work that they don't stop to notice how they might fail or be made to fail."
True enough, and he goes on to say that the security mindset is not just a disposition helpful to CIOs and network, but a useful life skill as well.
If people can learn to think outside their narrow focus, "they'll be more sophisticated consumers, more skeptical citizens, less gullible people," he says.
"Laptops wouldn't be lost with millions of unencrypted Social Security numbers on them, and we'd all learn a lot fewer security lessons the hard way. The power grid would be more secure. Identity theft would go way down."
Sounds good - but can we take his word for it‾