Enterprise security is causing the IT community undue stress, and it's time that IT leaders adopt a more open, accepting stance to it. The 2002 InfoWorld IT Security Survey of almost 600 IT decision-makers reveals that they worry about a broad spectrum of attacks, even though the odds of suffering damage by most of them are slim. Also, too many companies overspend on security, their yearly expenditures outpacing potential damages by, on average, 18 to 1.

No matter how much cash you pour into security, you can't prevent every attack. On average, companies plan to spend $3.6 million on security products and services during the next year, whereas the average cost of security breaches in the past 12 months was $193,000. Some companies are paying many times more for insurance than they're likely to suffer in losses. It's cheaper and less stressful to design a resilient network that blocks everything it reasonably can and quickly contains and recovers from successful attacks.

There are both too much spending and too many successful attacks because a large contingent of the IT community refuses to share its hard-won security knowledge. What IT needs is a better-considered, more realistic application of existing tools based on collective wisdom.

As it stands, what should be a sturdy defensive wall is missing every third brick -- and those holes can't be spackled with money. Working with the security experts of JiniServices, we help develop a consensus on which attacks are worth preventing and which countermeasures work best.