Gartner defines a security vulnerability as a weakness in process, administration or technology that can be exploited to compromise IT security, which can exist in any layer of the application stack and be caused by weaknesses in just about every IT administration, process or design function.
"Increasing Internet activity, along with the use of Web services, wireless connections and other new technologies, will lead to more vulnerable configurations. And these vulnerabilities will cause increased downtime for organizations that don't push security concerns into their processes for software development and procurement," warns John Pescatore, Gartner vice president and research fellow.
"Basic changes to the operating systems and hardware platforms used by servers and PCs will make dramatic leaps forward possible in some areas of software security," says Pescatore. "That said, through 2008, IT leaders will need to implement stopgap approaches to deal with new vulnerabilities associated with unsafe customer, employee and business partner platforms."
However, at least at this stage, such fears do not seem to be translating into effective counteraction.
At a time when the pace of technological change is increasing at a double-exponential rate, according to Raymond Kurzweil's essay on the confluence of exponential trends known as the Law of Accelerating Returns, Gartner research director Steve Bittinger says businesses are woefully unprepared for the implications of this dramatic development. Kurzweil's analysis of the history of technology shows that technological change is exponential, contrary to the commonsense "intuitive linear" view.
"So we won't experience 100 years of progress in the 21st century - it will be more like 20,000 years of progress (at today's rate)," he writes. "The 'returns', such as chip speed and cost-effectiveness, also increase exponentially. There's even exponential growth in the rate of exponential growth. Within a few decades, machine intelligence will surpass human intelligence, leading to a milestone known as The Singularity: technological change so rapid and profound it represents a rupture in the fabric of human history."
To Bittinger, the rate of technological advance should be setting alarms ringing across every business in the land. He maintains that many companies have underestimated or poorly understood the problems that are associated with security, particularly since every new technology brings with it a new security vulnerability.
"We have a technologically-based society and technology is zooming ahead faster and faster, and you can turn that around and say: 'Well, what does that say about vulnerability?'," Bittinger says. "We're getting all these new technologies . . . and every one of them brings with it new security vulnerabilities.
"Knowing that that's the state of the world, we can't be reactive. We have to get very serious about understanding what the architecture is that is going to provide us with a greater level of security. We have to actually be proactive in terms of consciously building in security from the beginning," Bittinger says.
The evolution of security attacks such as malicious codes and viruses has seen CIOs reassess and change the way they protect their systems. As the Internet has been such a critical component of many companies' successes, CIOs are starting to realize that to avoid Internet business disruptions, companies need to implement a security system that alerts, protects, responds and manages.
As one observer says: "The role of CIOs has changed from: 'I'm just looking after the gates around the house and making sure no one gets in' to: 'I need to know about neighbourhood robberies, what they are taking and how they are getting in'. This intelligence type of role is becoming more important as attacks become more aggressive and "zero day" attacks start to appear on the horizon. These attacks are defined as a vulnerability that is discovered and exploited so fast that a patch cannot be developed in time.
But while the CIO is a key player - and, for some organizations may be at the nexus of security efforts - it would be a mistake to view IT security as the responsibility of information technology group. "Nothing could be further from the truth," writes M Eric Johnson in the CIO (US) article "Information Security in the Age of the Extended Enterprise".
Johnson, who is professor and director, Centre of Digital Strategies at the Tuck School of Business explains: "During the quality revolution, the firms that found quality breakthroughs were the ones that realized that quality could not be delivered by the quality control department. It had to be part of the organization's culture. Security, like quality, is everyone's responsibility.
"Business managers cannot be passive, waiting for protection from the information security police. Rather information chiefs must articulate the risks, like any risk faced by the business, and as a team, executives must balance the risks. Brad Boston, Cisco's CIO, described how his organization moved from a traffic cop that simply said yes or no to business manager requests to one that helped them make good decisions. 'Our job is to identify the risk. The threat of that risk actually occurring, the probability, and tell what the options are to remediate it. Then a business decision is made about what risks are acceptable and which risks are not.'
"This responsibility resides at every level in the organizations - including the board," Johnson continues. "One CIO complained to me that when he presents updates to his board on new applications their eyes light up. But when he talks about security, he sees them glaze over. Having board members who understand the risks and can help other members see those risks is key to effective information technology governance and to building a culture of security."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.