Threats are growing more sophisticated. "We've gone away from script kiddies and amateurs to well-funded criminal organizations and nation-state hacking," Johnson said. Frontal attacks on the network are diminishing, in favor of "spear-phishing" -- phishing attacks targeted against specific people -- and other forms of social engineering. Attackers compromise the firewall, get into the network, and once in the threat becomes an insider threat.
Denial Of Service Increasing
Companies are experiencing increased denial-of-service attacks, Guttman said, speculating that the attacks might be distracting from other, more subtle efforts.
Kwon agreed that the attacks might be a diversion. "You wonder if the loud noise you can readily detect in your system is masking the symptoms of a more stealthy attack," she said.
Companies can protect against risks by understanding their current business, and the direction their businesses are going, said Guttman. For example, Time Inc. has gone from primarily being a magazine company to primarily being an online company, bringing different risks.
Companies can also manage risk by aligning IT security with other parts of the organization, for example, parts of the business protecting against fraud and guarding privacy.
Companies need to spend appropriately, Johnson said. Gartner estimates that companies in a steady state spend 3-4% of the IT budget on security, and up to 7-8% when companies are taking preventive action. But Pacific Northwest thinks that's too low; it tries to spend 6% consistently to stay on top of risks.
Enterprises can manage risk by understanding what's at stake. Computers aren't important, it's the business as a whole that need to be protected, Kwon said. Johnson added that security also protects customer confidence.
Guttman said she doesn't like to use the word "security." Instead, she likes to say they're "managing risk." "The reason I have a beef about the word 'security' is because we keep saying we're not secure, and yet that's what we do," she said.
See full coverage of the InformationWeek 500 here.
InformationWeek has published an in-depth report on managing risk. Download the report here (registration required).