Slashdot Mirror
Survey On Security Investment Trends
whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations.
Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."
Typical of major corporations to try and drive the bottom line by cost cutting in areas that in todays tech environment are probably the most dangerous over the long term. Of course when something happens its simple to blame human error and crucify the IT department for not doing thier job.
"Hollowpoints: When you care enough to send the very best."
The problem from the clients I've interacted with over the years has rarely been that they spend too much due to wanted X dollars per machine, but in their failure to realize that they too may be vuilnerable to threats that they think can't happen. As in many cases in this industry, the bulk of the problem lies about 20 inches in front of the screen. I've often found that some money spent on education is what is needed the most.
jX [ Make everything as simple as possible, but no simpler. - Einstein ]
Press release with summary of the article can be found...
Here
Some of the major findings of the Information Security Magazine survey include:
You can overanalyse data and get anything out of it. Stats are useful, but only in perspective. I wouldn't make any big decisions based on this survey.
For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"
So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.
One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!
The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.
I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.
Without reading the article in detail (will do it after posting, how clever ;)) that conclusion seems utterly logic. Higher share probably reflects the fact that the company management has understood the importance of IT security. And this probably shows everywhere else in the organisation.
All too often organizations will also trust the firewall to keep the company secure with WAY too little attention to keeping internal machines patched and up to date. Of course, this leads to a single point of failure, and if anyone makes it past the firewall it's a total free-for-all.
Hmmm. Only 215 "qualified respondents" that provided "reliable information". Then they divide them into small, medium, large, and very large sites. Assuming small networks outnumber large ones by a long shot, just how many "very large" networks (10,000+ machines) could they be getting results from?
Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.
It's Slashdot's evil twin... SlashNOT
The biggest weakness of any security system is always the human part. Overreliance of 'security software' only amplifies the vulnerabilitiy of firms to a resourceful attacker.
On a semi-related tangent: Some of you might be interested in the account of how a UC San Diego student with a crummy GPA managed to fast-talked his way into a Silicon Valley investment-banking firm internship.
The Pjammer Chronicles --
...the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount.
Perhaps businesses that spend a larger share of their IT budget on security give it a larger priority in general.
If there is hope, it lies in the trolls.
I wonder if anyone has ever hacked into google? I'm not talking about creating false high listings but actually cracking google's database itself. Getting their full internal Zeitgeist would be a target I assume, based on how usefull the extremely limited version they post each month is.
They do have an incredible number of machines all connected directly to the internet.
If voting were effective, it would be illegal by now.
You can overanalyse data and get anything out of it. Stats are useful, but only in perspective. I wouldn't make any big decisions based on this survey.
For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"
So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.
One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!
The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.
I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.
Hahahaha! Gotta love these psychologists...
The Simpsons got it right with the Monroe-guy.
Thanks for the warning, because:
The original poster of that (about 2 years ago) was Vinton Cerf.
When anybody starts a report with "sex", you know their desperate for something. In this case to make a name for themselves.
The number one concern cited in this article is viruses and malicious code, yet all the corporations want to run Windows, which seems vulnerable down to its root core.
Now, if my company went cold turkey on Windows and MS office it probably couldn't continue do business. That's right, our business would dry up, real fast. We could use Macs, of course (at huge transition expense, but doable), but we'd still need MS office. I'm an avid home user of OpenOffice (on Linux) - I love the program and have found it entirely serviceable as a general office tool, and it's a tool that could certainly be used by office workers. However, if a pool of secretaries and clerks had to deal with MS office attachments coming in all day, and had to convert all their outgoing work product to MS office-compatible files, that would be a real problem, operationally. For service companies and others doing a lot of business with the outside world (probably most of the corporate world), weaning off of MS office is not a real option at the present time.
So, MS has all these companies by the shorthairs. Microsoft doesn't really HAVE to give a damn, actually, about the security vulnerabilities, because they do not make IT vulnerable in any material sense. The customers have no real choice. Microsoft just has to make it easier to deploy their own products and incorporate more "features", and all the macro, scripting, component and plugin capability built into their products plays into that objective just fine.
Not that it's so terrible to be a MS customer. Their latest enterprise agreements were quite reasonable. You just have to keep paying, and most management accepts that. And you get pretty decent service from them, really. The customer takes all of this (security flaws included), with a big smile on its face! The result is a nice annuity from virtually every business organization in the world. Better than being a tax collector.
Security won't go anywhere, IMO, until either the government or the corporate users en masse get up and demand something better.
One thing I never understood is why Microsoft isn't vulnerable to class action lawsuits, like the pharmaceutical companies get hit with all the time. That would straighten them out real fast. The answer may be that the people who would do this suing would be corporate america, and it's against their ethic to bring these kinds of suits (they're stuck defending them most of the time).
Maybe if times get tougher, or business more competitive, companies will have to think about how much these problems are really costing them, and whether it makes economic sense to start doing something effective about it. I don't think we're there yet.
I always feel painfully left out of these sorts of discussions. I go to SANS and everyone's talking about the newest corporate security firewalls, gizmos, and policies (in the form of precepts that users must obey). These people have it easy, comparatively. Try practicing security on an open, unregulated network that, by design, can't have a firewall protecting the mail/web/blah server(s). Talk to a vendor and they say "Well, you DO have our product behind a firewall, right?"
My environment is much different, and my job is much more difficult. My "very large" network has >60,000 devices, but the ISM seems to assume that any "very large" network must belong to a corporation having centralized structure. 25.9 incidents per year? HA! I wish...
Software suppliers are trying to make their software packages more ... Their best approach, so far, has been to take all
"user-friendly".
the old brochures, and stamp the words, "user-friendly" on the cover.
-- Bill Gates, Microsoft, Inc.
[Pot. Kettle. Black.]
- this post brought to you by the Automated Last Post Generator...