Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Most Secure Companies Spend The Least?

Posted by timothy on from the paradox-of-the-flesh dept.

iPodBoy writes "The Reg has an interesting article with some choice quotes from Gartner, showing that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure. Gartner also had a choice quote for Microsoft, describing Windows as 'the biggest beta test in history,' and warned warned IT security pros not to expect too much from Microsoft's vaunted Trustworthy Computing initiative."

7 of 29 comments (clear)

  1. Microsoft Security by eyepeepackets · · Score: 2, Insightful

    Oxymoron for the Internet Age.

    Note to astroturfers: Marking truths as trolls doesn't change the truth value of the post but doing so does display your attitude towards truth. Mark away foolish ones.

    --
    Everything in the Universe sucks: It's the law!
  2. Oh boy. "Gartner says" Microsoft has sec problems by 0x0d0a · · Score: 3, Insightful

    So, consulting firms like Gartner say "Windows is insecure". Big deal. Garter is for hire for PR fodder. You know who to ask if you want the real dirt on what has problems? IT professionals, the sort of people who frequent Slashdot. Garter is trying to approximate what an IT professional would say.

    Do I think Windows has security problems? Sure, both in Microsoft applications and in API at a design level. There is also some missing security functionality, like a sandboxing mechanism. However, I think more of the problem comes from a long tradition of single-user systems and application developers not writing security-conscious code. Who calls out Adobe for, say, opening a local system vulnerability with Photoshop? Nobody. On the other hand, if OSS/Linux or Oracle opens a hole on a *IX box, then people make noise.

    My issue is not that Microsoft is accused of having security problems when they don't have any (though, to be fair, Linux isn't perfect either). No, my problem is that *Gartner* saying that Microsoft is insecure should mean nothing to a typical Slashdotter. A typical Slashdotter should be relying on their own experience, not on Gartner. Gartner is for large company CIOs, suits that don't understand technology and want their business decisions fed to them ground up into a nice paste.

    --
    May we never see th
  3. Makes sense by jbrayton · · Score: 3, Insightful

    As others have said, I wouldn't take Gartner's "information" too seriously. That said, their conclusion makes sense.

    Who is more secure, the Windows user with expensive anti-virus software, or the Linux/Mac/UNIX user that does not have anti-virus software? And who has spent more money on security?

    Who is more secure, the user of a mail server that has expensive virus detection software or the user of a server configured to simply block attachments?

    Money spent on security is typically to duct tape over a security hole. A secure system doesn't need so much duct tape.

  4. Makes perfect sense by photon317 · · Score: 4, Insightful


    A company will always be somewhere in the spectrum between two extremes:

    1) They have knowledgeable, competent staff in the areas of computer security, who can get all the practical computer security that's possible with minimal money spent on 3rd party products and consulting.

    2) They don't have anyone who knows what they're doing about security, so they just fall into a cycle of throwing money at the problem, fail to get it right, throw more money, repeat ad nauseum. The money gets spent on consultants and on whatever whizbang buzzword laden security product the PHCIO just heard about in his favorite IT Mag for Dummies.

    Hence the companies that are the most secure tend to be the ones spending the least money on security. I get the feeling that shops which are closer to category 2 are going to read the Gartner summary and decide to cut their IT security budgets in half in hopes that fixes all their problems, instead of investigating the real underlying issues: hiring competent people who can do security.

    --
    11*43+456^2
  5. Securing people is the hard part. by uncoveror · · Score: 4, Insightful
    You can password protect every system in the place, install a firewall and every kind of malware scanner, but people can still be hacked.

    If somebody calls the twinkiehead receptionist claiming to be from I.T., will she answer every question he asks? If an outsider claiming to be one of the big bosses calls the help desk saying he's locked out, and needs his password reset, will they do it for him? When the guys in the server room go to lunch, do they lock the door? If you sweet talk the fat old man dressed as a cop, will he use his own keycard to let you into a secured room?

    People are easy to hack, and hard to secure, but training courses for them are a better investment than new whizbangs.

    --
    The Uncoveror: It's the real news.
  6. Re:500 page security policy by ADRA · · Score: 2, Insightful

    Or take away their right to install software and run activex components on their computers. If you already have a license to lock them down, at least do it right.

    --
    Bye!
  7. Re:500 page security policy by spooky_nerd · · Score: 2, Insightful

    First, taking away rights to install software can be difficult if you support a user base that needs to have admin rights on their own systems.

    Second, I'm just a desktop support guy. I fix computers all day and get a check at the end of the week. Creating policies is not something that's in my job description. Enforcing policies that cause friction between me and my customer base is something I tend to avoid.

    I don't have a lot of confidence that complaining to management about the situation is going to get anything done. So I try to educate my customer base as well as I can. I keep my customers happy, and I don't hear any complaints from above. Besides, Cleaning off spyware = plenty of work = job security.