The best place to start is with what "The State of Information Security 2003" survey doesn't include. It doesn't include some stark bit of data that will make you slap your forehead and exclaim, "Oh, that's the problem!" It doesn't include figures that suggest a secret formula for setting a security budget.. . .
The best place to start is with what "The State of Information Security 2003" survey doesn't include. It doesn't include some stark bit of data that will make you slap your forehead and exclaim, "Oh, that's the problem!" It doesn't include figures that suggest a secret formula for setting a security budget.

Nowhere in its hundreds of pages of raw numbers will you find The Answer, because The Answer is a fiction, even if the problem is not. Information security is a difficult, nuanced and immature craft. Silver bullets are for people who aren't serious about solving the problem.

What this survey does include, in its depth (more than 7,500 respondents) and intricacy (44 questions cross-tabulated by company size, security budget, geographical region and dozens of other categories) is a comprehensive profile of the imperfect and evolving world of information security.

According to the survey findings, it seems you're all just now coming to terms with information security as a problem. You understand that fixing the problem won't be easy--that it will take a complex combination of infrastructure, education, proactive risk analysis and regulation. But at the same time, you seem to be hoping against hope that an easier way out will present itself. You know you need to do more, but the survey shows that you're not yet doing it. It's the classic economic principle known as the Problem of the Commons: Information security is a problem, but it's not my problem.

The link for this article located at CSO is no longer available.