Survey On Security Investment Trends

whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations. Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."

Spending per capita versus

[bluephone]

The idea that fixed spending per capita versus a share from a bugdet shouldn't surprise anyone. Merely taking into account volume discounts of products brings the per machine cost down. But this does bring up a god point for execs to look at, in terms of security doesn't HAVE to cost a lot to be effective, if the spending is done wisely. Too many execs skimp on security due to fear of cost, and perceived low ROI, and underestimated exposure risk. It's the typical "It happens somewhere else, but never here" mentality that affects too many sections of society.

The problem from the clients I've interacted with over the years has rarely been that they spend too much due to wanted X dollars per machine, but in their failure to realize that they too may be vuilnerable to threats that they think can't happen. As in many cases in this industry, the bulk of the problem lies about 20 inches in front of the screen. I've often found that some money spent on education is what is needed the most.

screw it, here is the summary

[plasticquart]

Herndon, VA - September 17, 2002 - A new survey released by Information Security magazine reveals that large organizations are at far greater risk to hacking and viruses than small companies due to organizational dynamics that hinder the implementation of effective security practices. According to the survey, the first of its kind to benchmark critical IT security trends and practices by organization size, small companies spend nearly 20 percent of their IT budgets on security, while large companies spend only 5 percent, and suffer five times as many security incidents.

Some of the major findings of the Information Security Magazine survey include:

• Malicious code, such as viruses, worms and Trojans, remains the number one most concern of most IT security professionals. Some 31 percent of survey respondents said it was their most important problem, followed by the security of authorized users (23 percent) and security vulnerabilities in IT and telecommunications equipment (15 percent).
• IT security remains a cottage industry when it comes to the establishment and implementation of formal policies and procedures. In multiple ways, IT security is still trying to gain a foothold in the day-to-day activities that govern an organization's operation and culture.
• As organizations get larger in size, their security departments are not keeping up with the demands of increasingly complex organizational infrastructures. Security spending per user and per machine declines exponentially as organizations grow, leaving most handcuffed when it comes to implementing effective security practices.
• Spending money on security does not reduce the number of incidents or the probability or extent of loss stemming from those incidents. But allocating more budget and resources to security does not increase an organization's ability to detect loss.
• Senior IT security professionals have little authority in driving the overall security mission in their organizations. Only 10 percent of chief information security officers (CISOs) report to the board of directors. And while 88 percent of CISOs prepare security budgets, only 37 percent of them approve budgets.

Re:screw it, here is the summary

[t00tie]

"Malicious code, such as viruses, worms and Trojans, remains the number one most concern of most IT security professionals"

I'm an IT security professional, and this really scares me. There are gaping holes in most organisations internal security that far outweigh the threats from external sources. Examples include

• Paranoid mobile-office/home access to the corporate network with virus scanners and what-have-you, while username/password for the mainframe travels in the clear on the corporate LAN.
• Application (especially web) security with more holes than swiss cheese.
• Internal users who have full access to everything, and not even decent routines for potentially devastating tasks. Last summer here in Norway most banks stood still because a techie formatted the wrong SAN box in a vital datacentre!

We're very(?) good at protecting from untrusted users & systems, but not against trusted users & systems. Learning the difference between trusted and trustworthy is extremely educating ( ref )!

Don't read too much into it

[Clovert+Agent]

You can overanalyse data and get anything out of it. Stats are useful, but only in perspective. I wouldn't make any big decisions based on this survey.

For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"

So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.

One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!

The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.

I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.

Re:Don't read too much into it

[Perdo]

Exactly how many companies are there with over 10,000 computers? Getting 52 of them seems to represent a good percentage of them. Keep in mind that microsoft has about 35,000 machines, Google has 22,000 machines and Enron had much less than 10,000 (nice dovebid auctions btw).

That seems like the best data that could be gotten given that most companies that large would not respond or would be evasive in their answers.

Blind faith in the firewall

All too often organizations will also trust the firewall to keep the company secure with WAY too little attention to keeping internal machines patched and up to date. Of course, this leads to a single point of failure, and if anyone makes it past the firewall it's a total free-for-all.

Lies, damn lies, and statistics

[mmoncur]

Hmmm. Only 215 "qualified respondents" that provided "reliable information". Then they divide them into small, medium, large, and very large sites. Assuming small networks outnumber large ones by a long shot, just how many "very large" networks (10,000+ machines) could they be getting results from?

Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.

Re:Lies, damn lies, and statistics

[doublem]

this article is nothing but a large serving of Buzzword Soup

Which mean my boss will be quoting it to me in the morning as a mantra, perfect and undeniable. It will take precedence over my decisions and all those who disagree with it will be fired, er, downsized.