Survey On Security Investment Trends

whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations. Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."

Don't read too much into it

[Clovert+Agent]

You can overanalyse data and get anything out of it. Stats are useful, but only in perspective. I wouldn't make any big decisions based on this survey.

For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"

So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.

One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!

The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.

I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.

Lies, damn lies, and statistics

[mmoncur]

Hmmm. Only 215 "qualified respondents" that provided "reliable information". Then they divide them into small, medium, large, and very large sites. Assuming small networks outnumber large ones by a long shot, just how many "very large" networks (10,000+ machines) could they be getting results from?

Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.

Re:screw it, here is the summary

[t00tie]

"Malicious code, such as viruses, worms and Trojans, remains the number one most concern of most IT security professionals"

I'm an IT security professional, and this really scares me. There are gaping holes in most organisations internal security that far outweigh the threats from external sources. Examples include

• Paranoid mobile-office/home access to the corporate network with virus scanners and what-have-you, while username/password for the mainframe travels in the clear on the corporate LAN.
• Application (especially web) security with more holes than swiss cheese.
• Internal users who have full access to everything, and not even decent routines for potentially devastating tasks. Last summer here in Norway most banks stood still because a techie formatted the wrong SAN box in a vital datacentre!

We're very(?) good at protecting from untrusted users & systems, but not against trusted users & systems. Learning the difference between trusted and trustworthy is extremely educating ( ref )!