Businesses Spend 20% of IT Budgets on Security 141
Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."
that's how we roll around here (Score:5, Funny)
That makes sense. I mean, nerf weapons count as a security expense, right?
Re:that's how we roll around here (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
(Ok, terrible joke. I know)
1 layer of the onion (Score:1)
In terms the Nubian can understand, that means we also have the matching shields and hats.
Re: (Score:2)
Re: (Score:1)
To bad most of it is Stupid Security. (Score:4, Insightful)
want to think they are safe but they never really consider the underlining problems with security.
90% of the Market is using the SAME FREAKING OS! So they work on blocking legit Web Mail so
Windows Viruses cant get in. Scanning all attachments to make sure there is no VBScript in Office
For Windows Documents. Trying to block sites that could possible be considered to have Windows Spyware.
Stop using freaking Windows all the time. Linux/Mac Workstations with VMWare to load Windows for those
Windows only apps, Stop wasting time with making Windows Console application and focus on Web Based Apps
Even if it is with
Of course gust going to a different OS isn't the only solution you need good firewalls and such. But...
The core of the problem is Windows. Get Rid of Windows or reduce it to more bit parts then your companies
security is so much better.
Yes PHB MBA wont get it, they are afraid of doing anything differently then the rest. IT people will resist
too because they don't know Linux or Macs as well as windows and are not willing to learn. But if you need
to focus on security you need be different then the rest.
You need to be flexible so If Macs or Linux becomes insecure (One to many features can cause that problem) then
your custom apps need to be multi-platform or at least cross compilable to move from one system to an other.
That is the correct direction for security. Not this Block you from getting you work done stuff.
Re:To bad most of it is Stupid Security. (Score:5, Insightful)
The real threat is ignorance here. That includes buying unnecessary security equipment, operating and running the system itself, and improperly using software firewall and routing.
Re: (Score:2)
Actually, a linux box in the hands of a clueless user can be just as dangerous if not more so than a windows box in the same hands.
Depends on the distro...I've seen some live CDs that could cause trouble in the hands of a padawan...
The real threat is ignorance here.
I'm not so sure. I'm more likely likely to attribute illegal intrusions/Tphtphtph-ware to the weenies engaged in it. I'm not saying it's impossible to accidentally write fast-spreading worms, [wikipedia.org] but I believe it's a wee bit rarer than the intentional sort.
Re: (Score:1)
Lets compare apples to apples peoples!
Depends on your view of "security" (Score:4, Informative)
You are taking a very shallow view of security here. Sure, controlling what services are listening is a good first step. But your biggest threat isn't the outside hacker. It's the inside guy. It's being able to -prove- who did what, when.
But once you move beyond that default install, and beyond shutting down unnecessary services, Linux isn't necessarily that "secure". The default install of Linux still has many problems that have to be addressed in order to have a secure system. Of course, so does Windows, but my point is that you cannot just load Linux, turn off services, and think you have anything like a secure system. In fact there are some advisable security requirements that are harder to implement on Linux than on Windows.
I have secured both to NSA recommended standards, and yes, in general I prefer Linux, but don't fool yourself that any like a default Linux install is inherently secure, especially when it comes to auditing and attribution.
Re: (Score:2)
Re: (Score:2)
When you are talking about Linux, BSD, Solaris, etc, yes, it is.
When talking about Windows, you have to clear all the way from browsers that execute arbitrary code from the web; files that execute automaticaly and the interface won't let you know beforehand; media that execute automaticaly, virus that spread trough text files, spreadsheets, images, video, etc; dialogs appearing all the time, trainning the user to agree to every one of them; And the list goes on...
Re: (Score:1)
In Short... (Score:3, Insightful)
I can't believe business (we currently do) have "hiring/bonus/travel" freeze but don't think twice about spending money on MS Software specifically. I guess better to pay MS employees than your own.
Re:To bad most of it is Stupid Security. (Score:4, Insightful)
I am no fan of Microsoft- after much fighting with my boss over it, I'm the only person in a mid-sized web design company running Linux on his desktop, but the core problem has nothing to do with Windows- at least not solely.
The problem comes down to several things:
Incompetence of users: This is the only place the the end OS really makes a difference, but all in all, I'd rather see the morons using Windows than Linux, just because they are already familiar with it. It's pretty tough to convince the uppers to retrain an entire company. That time and effort could in fact be better spent working on virus protection, network monitoring, etc., which any responsible security team still needs to do.
Pre-existing infrastructure: Companies start small, usually with the IT department consisting of a guy who sort of knows how to build computers. As the company grows, the infrastructure is forced to expand with it. Generally, this invlolves hacks and patching things together until it reaches a breaking point and a real network engineer is brought in. The problem there is that he still needs to keep everything up and running. You can't exactly take down a network, lead/customer management database, external web applications, etc, rebuild them all from scratch, then move everybody over. If the company can't maintain a baseline of functionality, than a security/network overhaul won't do anybody any good.
Cluelessness of management: Spending money on security rarely affect's the company's bottom end directly. The only way to get them to take security seriously is to show them what it will cost them to not do so. This isn't as hard as it sounds though- if you can convince upper management to participate in creating company security policy, you can start to show them that A) security involves not just confidentiality, but also availability and integrity of assets- two aspects that are far more critical, particularly in upper management's eyes. B) Protection of those assets is the responsibility of management. Hiring a security guy will do no good unless he has support from the top. When something goes wrong, they may have a patsy, but they suddenly won't have that database of customer information.
It's nice to hear that companies are spending 20% of IT budgets on security, though I don't believe it. Regardless, there is definitely a positive trend. The companies are starting to realize that security isn't something you can pick up for the price of a firewall and a pentest- it's a cyclical process involving constant auditing, defining and refining processes in all aspects of the company (which is why management support is so critical), and most importantly, fixing problems WITHOUT interrupting the normal flow of business.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
I call bull (Score:3, Funny)
Re:I call bull (Score:5, Informative)
When I think about it, it probably isn't 20% of the total expenses, but it would have to be close.
Re: (Score:2, Informative)
E-mail filtering: Just some spamfiltering and clamav so we don't propagate virusses in case somebody decides to forward it
Web content filtering: A big loss in $$$ since every single one of your employees WILL find a way around it which reduces security to even less since they'll be using less controllable techniques while having to look for it on Warez sites (which do have a lot of issues with random virusses etc.)
Anti-viru
Re: (Score:2)
Re: (Score:1)
And why would that surprise you? Like it or not (I certainly don't), windoze is the most common OS in the world - be it desktops, workstations, laptops, file / app / print / web servers
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I've worked in management for several Fortune 500 companies and you would have to include all SOX activities and all your redundancy (including hardware, datacenters and staff) in the "security" to even come close to these numbers.
A very rough ballpark is that 1/3 is people, 1/3 is depreciation and 1/3 is hardware/software.
Or sliced diffe
Re: (Score:3, Informative)
> that much of the budget, except maybe if the surveyed all use Windoze...
I'm sure a significant percentage of them use Windows, but what you're probably missing is that a lot of the security stuff that's typically sold to corporations (including, even, firewall solutions) is sold on a subscription basis, so that you have to pay every n (typically, twelve) months just to keep the same level of protecti
Those things certainly are part of I.S. security.. (Score:2)
Confidentiality
Integrity
Availability
UPS and RAID are part of Availability and tape backups (disaster recovery) are considered under both Availability and Integrity.
Re: (Score:3, Informative)
AV , Client firewall, Integrity checkers and patch deployment, VPN, Firewall, Compliance, etc in a Windows shop ramp up to somewhere around there. Actually, quite often they are even more.
pebkac security patch (Score:3, Insightful)
Re: (Score:1)
You guessed it, even the people he managed new it...
Re:pebkac security patch (Score:5, Funny)
Just happened today: The uber-friendly shopkeeper next door asked me to help him void a transaction. When the password prompt came up, he looked at me and simply said, "1-2-3-4-5."
I couldn't resist. I looked back at him and said, "That's funny. I've got the same combination on my luggage..." [wikiquote.org]
Re: (Score:1, Interesting)
Re: (Score:2)
Oh, believe me, I know. I wasn't using the "amusing" connotation of the word "funny". What tore me up was he blurted out his password QUITE loudly... in front of customers. Thank God I trained myself to keep a straight face when I was younger...
Re: (Score:3, Insightful)
On average, not nearly enough. Employee training practically always gets shortchanged, and I'm not just talking about computer security, or even just about computer technology generally. It's true across the board in most industries.
Worse, in a lot of industries, the money that _is_ budgetted for employee training gets mostly wasted on worthless nonsense, not spent on the training the employees could actually *use*.
And then what part goes to anti-spam? (Score:3, Interesting)
Even if you're just running some spiffy implementation of spam assasin, it still gets your time at some frequency to update the rules, amongst other things.
Re: (Score:1)
"The survey results also revealed that for each dollar spent on security, about 42 cents goes toward technology product purchases. In general, 17 cents goes toward security-related processes; 15 cents covers training; 12 cents for assessments; and 9 cents pays for certification. The balance goes to other items."
"Security" analysts (Score:5, Insightful)
Don't even get me started on social engineering and how circumventable many secured entry systems are. It's a sad thought that someone posing as a lowly janitor could have free rein in most data centers.
P.S. Security policy writers: why not start by giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone (including some sort of challenge/response question for them to answer)? Simple, inexpensive and effective compared to a lost or stolen keycard falling into the wrong hands.
Re: (Score:3, Interesting)
At my workplace the security people combined the ID card with the RFID access card so now if you lose the RFID card the person who finds it can go directly to our site and walk in.
Re: (Score:2)
Re: (Score:2)
Security policy writers: why not start by giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone (including some sort of challenge/response question for them to answer)? Simple, inexpensive and effective compared to a lost or stolen keycard falling into the wrong hands.
Hi there! I write security policies. Now I can't answer for the situation where you work, but there are two responses to this...
lol (Score:5, Funny)
Re: (Score:2)
You forgot the "oh wait
necessary precautions though? (Score:1)
Pfft! (Score:2)
Re: (Score:3, Insightful)
Insightful question.
Managers and the clueless (obviously not mutually exclusive sets!) are always looking for a "security product", the silver bullet.
The reality is that security is a process, not a product. You have to incorporate it into your policies, plans an
20%, sure ... (Score:2)
increase in security budgets (Score:1)
Re: (Score:3, Insightful)
Hahaha (Score:3, Insightful)
Twenty percent...
Oh, that's rich. Oh my. Oh. Hoo!
Flying Spaghetti Monster, I love surveys and statistics. I've worked in internal security for the past couple years at a big accounting firm and as a security consultant for many years before this.
Everyone knows they should be doing more to stay secure, but that fact is security doesn't do anything obviously positive for the bottom line. It's like flossing: most people floss when they have some chicken stuck between their molars but they don't do it every night. (Little tip for everyone trying to get money for security: give up on ROI; sell it like you're selling an insurance policy.)
When CIOs or CISOs get these surveys they fluff the numbers because they know they are supposed to be secure even if they have a hard time justifying security spending to the Board. "Oh yeah, we spent $X on Security. That's about 15-25% of our IT budget." What they don't say is that number includes the payroll (including salary, benefits, and payroll taxes) of all IT staff that have anything to do with security, audit, or regulatory compliance.
Contrast that with asking them what they spent on email they'd probably tell you about their Exchange license fees and maybe some server hardware. They'll leave out staffing costs, retention software and SAN, etc.
My guess is that the average IT budget is spending maybe -- MAYBE -- 10% on security, audit, and compliance related expenses.
I will admit here that I didn't RTFA. If the survey population was mostly US-based publicly traded companies that fall under SOX regulations the 20% number is a tiny bit more believable because CFOs and CEOs don't want to go to jail based on a fuckup by a minimum wage (in their frame of reference) IT staffer.
Re: (Score:3, Interesting)
Re:Hahaha (Score:5, Insightful)
Look, you run a company. How do you see the world? You see it in terms of money coming in
Now, let's take a look at some other internal functions in any company:
Sales & Marketing? Not a profit center, but without it there'll be no profits, plus which suits understand those departments. They generally haven't a clue how design and production work.
Accounting? Not a profit center
Customer support? Not a profit center. "Too bad our drain-bamaged customers can't handle all their own problems, we'd save a bundle. No, we're not going to upgrade the call center, matter of fact we're shipping it to India next month. Start training Habib here
Internal IT department? Not a profit center. "Too bad all those stupid people that work for us can't handle their own problems. We'd save a bundle. Also, you gotta watch those IT guys, always wanting to spend our money on the latest fancy computer toys."
So far as external threats are concerned
That's what I'm talking about. I'm sorry if you're an IT guy and took offense, but the facts are clear: IT and its very important offshoot, network security are simply not in the average PHBs top ten list of important areas to spend money. There are some corporations that get it, and make themselves into hard targets, but not enough. Not nearly enough. Part of the problem is that good security is more a matter of good people that it is good equipment.
Re: (Score:2, Insightful)
Security is tricky... (Score:5, Insightful)
But the trick is, a sufficiently well-planned attack can defeat security without anyone knowing it happened. So you can't really rely on a count like the number of detected intrusions (whether they were thwarted or not). The result of this fact is that there's a huge amount of crosstalk about "best practices" and what's Good Security and what's not. You could have a system that tracks N intrusions per year, and thwarts them all, but if there were 2N intrusions that were not detected (let alone thwarted)... you go around claiming you've got great security, but do you really?
This doesn't mean we shouldn't try to have security, obviously, but it does mean that security is a giant, tricky grey area.
Re: (Score:1)
Always assume someone has a zero day rootkit for every server you run. You live in fantasy land if you think there aren't hackers that could pwn your system instantly in this world.
Done.
Sean
Re: (Score:1)
Stupid users
Information Disclosure
Fires, floods and nuclear apocalyps
keeping the source tree for your new video game from going public
That hard copy of the company directory that just got thrown in the dumpster out back
the list goes on and on...
There's a lot more to security than keeping the script kiddies off your web server.
Re: (Score:1)
Host vs. Network (Score:2)
Detecting an attack is easier to do then thwarting an attack, and obviously so. What is sad is that many IT types would rather not even know about attacks because then they are liable. Ignorance, even in IT, is bliss.
I once tested a network monitor that I
Re: (Score:2, Informative)
Security isn't "tricky" or a "grey area". Security is awareness. Understanding how and where the machines on your network communicate is usually all that's required. If you take the time to study the traffic flows every day, monitor your choke points, and respect the compu
20% !? (Score:2)
Re: (Score:2)
The problem is the crisis mentality that's infected our corporate and governmental sectors. The network guys that do run a tight ship and don't have many problems have a hard time justifying a bigger budget because
It's tough to make the bottom-doll
SPAM, Antivirus, Firewalls, VPNs... (Score:2)
Use OpenBSD... (Score:1)
Linux Admin: "BSD? lolwut? thats like that OS from the fifties right?"
OpenBSD Admin: *sigh*
Security!! Need painkiller (Score:1)
a nice way of saying... (Score:2)
Evidently coffee must be = 21% of IT budgets (Score:3, Insightful)
So many people turn off default security features! (Score:1)
Fedora, RHEL, and CentOS also come with SE Linux enabled by default, it gets turned off more often than Net Filter.
I find it difficult to believe that any significant portion of IT budget goes to security when I see so many
Honesty? (Score:4, Insightful)
Somehow I'm picturing companies answering surveys with 20%, stock investors are probably hearing 2%-5%, and the people who actually make decisions are really putting in about 7%-12%.
Y2K Redux (Score:3, Insightful)
Seems to me that we're seeing another Y2k scenario - there is a real issue, and let's all overreact. Y2K was a profitable business for many consulting firms, contractors, and software vendors. The Y2K situation was something that needed to be addressed but by scaring C-level executives there's great profit to be made!
Read one of the security journals, look at the marketing hype coming out of Symantec, McAfee, and any number of security consulting firms - the primary message is fear. Fear of some unquantifiable buggiman come to get your precious data. Precious little data on how many monsters are out to get your data, but you best be afraid. And I agree - there is reason to be concerned, but no reason to be hysterical and dedicate one fifth of your IT budget to the nebulous Security functions.
How many of these security consultants are brand new? How many are receiving certifications from the very same groups that are attempting to promote the opinion that there's a security crisis? Can you fix security problems yourself, within your own firm? Damn likely. Many IT groups underestimate their abilities (or their senior managers do), and outsource a job that could, perhaps, be done better in house.
I realize that we can't ignore the security issue, just as we couldn't ignore Y2K. But hysterically throwing money onto the problem won't solve the problem either. Don't waste your money if you can avoid it. Don't just fall for the drama of the moment if at all possible
Security is expensive (Score:1)
hmmm (Score:1)
Cost-benefit analysis? (Score:1)
I found this book review which seems to suggest that nobody knows:
At current rate of increase, by my calculations... (Score:1)
Either someone has to increase IT's budget before the 100% mark is reached in 2013, or the DBAs should be sent out to pillage from Accounts Receivable.
...for certain definitions of "security" (Score:2)
Real security--IDS, systems and network monitoring, incident response, still gets short shrift--mostly a bit of lip service whenever Sarbanes-Oxley gets tossed around but no real support. It's hard to get a budget though, when security geeks aren't geared up for
damned lies and statistics (Score:1)
If you can measure it, it's probably bullshit (Score:2)
Real security work is integrated. How do you measure, "decided to write it to avoid the possibility of buffer overflows" or "designed it to not execute foreign code when an ignorant user merely 'clicks' on something" in your budget?
They spill the bullshitbeans here:
They're just talking about how much was spent buying faux-security products. "Security enforcement technologies," s
Contradicted by another survey (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
In the time they take to get a poorly secured *nix box they could have taken over dozens of badly set up MS Windows boxes.
That's to be expected. Given the market share disparity, even if every other factor was equivalent [0], you would still expect to see at least ca. 40:1 "pwnership ratio".
[0] And they're not. Without even bringing technical aspects into the discussion, Windows is already at a serious disadvantage to Linux in terms of "security" because if its user demographic.
Re: (Score:2)
A common misconception but easily corrected by paying attention. The Apache vs Microsoft ISS example where market share is skewed in the opposite direction shows the market share thing is either a feeble excuse or complete and utter marketing bullshit. Furthurmore you HAVE to bring technical aspects into the discussion for it to be anything other than worthless fortunetelling.
Re: (Score:3, Insightful)
A common misconception but easily corrected by paying attention.
Anyone who doesn't think market share is a significant contributor to a product's "security record", is a fool blinded by zealotry. There are so many critical aspects of "security" that are related to market share, it's simply an inescapable factor.
The Apache vs Microsoft ISS example where market share is skewed in the opposite direction shows the market share thing is either a feeble excuse or complete and utter marketing bullshit.
Those
Re: (Score:1)
Or is 'Indian' to be taken in the same context as 'Negro'?
Re: (Score:2)
I want to know why someone from India isn't already an Asian.
Because I was using it in the context of ethnicity, not what continent they were born on.
Or is 'Indian' to be taken in the same context as 'Negro'?
Uh, not sure what context you're inferring...
Re: (Score:2)
And I'm the one being accused of being a fool blinded by zealotry? Some of us have used it a lot and read hundreds of the MS white papers to get around problems you know, we still use it in situations where it makes sense. It was good enough for what it did because it was a cheap OS running on cheap hardware however only MS marketing people furthur enhanced by drugs would be making that sort of claim in anything othe
Re: (Score:2)
And I'm the one being accused of being a fool blinded by zealotry?
Yes. Because apparently you think, despite all contemporary OSes being basically equivalent in terms of capabilities and features - marketshare has no influence on a product's "security".
Some of us have used it a lot and read hundreds of the MS white papers to get around problems you know, we still use it in situations where it makes sense. It was good enough for what it did because it was a cheap OS running on cheap hardware however onl
Re: (Score:2)
I must admit I have not heard such a statement from anybody that does a great deal of work with computers and do not expect to. On anything other than an extremely superficial level there are many differences.
I hate to use the "you must be new here" line but you have been greatly misled by somebody about this. For a
Re: (Score:2)
I must admit I have not heard such a statement from anybody that does a great deal of work with computers and do not expect to. On anything other than an extremely superficial level there are many differences.
For example ? What major, relevant architectural features are not found in all of the major OSes (and haven't been for the better part of a decade) ?
I hate to use the "you must be new here" line but you have been greatly misled by somebody about this. For a variety of reasons the security model f
Re: (Score:2)
Try to talk about the subject matter instead of using methods to bully those with less confidence in their abilities or mistaken repect - it is uncivilised. While it is unlikely to work here with anybody that is familiar with more than one operating system and can see the holes I'll bet you use it in other forums or on other topics. The 1993 bit could throw the young off track a bit and
Re: (Score:2)
No little bullying insults? It's all there above and a bit is quoted here:
No. Although when you choose to deceptively quote out of context, you can certainly make it look that way.
Try to talk about the subject matter instead of using methods to bully those with less confidence in their abilities or mistaken repect - it is uncivilised.
I am trying to talk about the subject matter. You, on the other hand, repeatedly ignore attempts to do so, preferring to concentrate on a deconstruction of how I choose
Re: (Score:2)
No little bullying insults? It's all there above and a bit is quoted here:
No. Although when you choose to deceptively quote out of context, you can certainly make it look that way.
Try to talk about the subject matter instead of using methods to bully those with less confidence in their abilities or mistaken repect - it is uncivilised.
I am trying to talk about the subject matter. You, on the other hand, repeatedly ignore attempts to do so, preferring to concentrate on a deconstruction of how I choose
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Personally, I feel that the majority of viruses run on Windows for many reasons, including that it's a bigger target, a softer target, and, by and large, a dumber target. The average Linux user is much more tech-savvy than the average Window
Re: (Score:2)
Those red ones should be easy to spot.