That means "they can't measure either the effectiveness of their security practices or their risk levels," Mulligan says, adding that, "thanks to inadequate budgets, just 21% of our server security chiefs have access to test environments that fully duplicate their operating environments."

She says more than a fourth, 28%, have no testing environment or one that does not replicate the productions environment, and "both these conditions increase the risk that changes to the production environment will fail and require removal."

Mulligan also found that "surprisingly, 8% of respondents aren't checking their server patch compliance levels at all–a dangerous prospect. Frequently, common viruses and exploits are preventable but take advantage of mistakenly configured or unpatched server operating systems."

"What separates successful server OS security managers who meet their goals from the rest? Monitoring and configuration tools and consistent, well-defined security processes," Mulligan says.

The Forrester survey found a wide range of policy and practice variation, from tightly run ships to hard-pressed operations moving from crisis to crisis.

The respondents spent an average of 32 hours a month handling urgent events, Mulligan says, but that "is severely skewed by those that spend more than one-quarter of their time handling emergencies. Forty-two of the respondents spend less than 10 hours per month on urgent events–while 28 spend more than 20 hours per month reacting to security problems.

"Clearly, some environments are tightly managed with few emergencies, whereas others operate mainly in reactive mode," the Forrester analyst says.

On another topic, only about half of the

respondents say they harden all their servers,

which Forrester calls a well-established best practice that includes shutting down all unnecessary services, deletes default user accounts and changes all original passwords.

Mulligan also attributes that to possible time pressures, since half of the respondents handle that task manually, compared with 38% who use automated tools from the operating system supplier or third parties.

But not all is bleak, the report says.

"Although security managers are missing their patching deadlines, the average user is taking advantage of some of the tools provided to assist him or her," Mulligan says.

That includes tools from vendors such as CA, BMC Software, HP and IBM that automatically ensure servers are patched and in compliance, as well as taking advantage of default security role settings provided with the operating system.

The Forrester study found that OS security chiefs with tools or specified practices generally get close to or reach their server-patch compliance targets, whether they use automated or manual methods.

"The story is similar for server hardening," Mulligan says. "Those who use tools–and even those who harden their servers manually but follow specified processes–only miss their patching deadlines by between one and six days, while organizations using ad hoc hardening procedures are late by an average of 19 days."

Forrester's advice?

"Remember that server OS security is a continuous process rather than a one-time event," Mulligan says.

"Start by using default OS security profiles, hardening the servers further, maintaining patch compliance over time, and keeping server access permissions up to date. Focus first on hardening all of your Internet-facing and critical servers. Then track how long it currently takes you to patch and update your servers from when the patch is released," she says.

"Aim to reduce this time by 20% or for it to be shorter than a month–whichever is less. Some interviewees successfully maintain a 48-hour patch application window–so until you've hit that target, you can always make improvements."

–[email protected]