The Most Secure Companies Spend The Least?

iPodBoy writes "The Reg has an interesting article with some choice quotes from Gartner, showing that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure. Gartner also had a choice quote for Microsoft, describing Windows as 'the biggest beta test in history,' and warned warned IT security pros not to expect too much from Microsoft's vaunted Trustworthy Computing initiative."

In other news...

[Lord+Prox]

A milti year million dollar study now confirms that a fool and his money are soon parted.

Gartner.clue

[richie2000]

It's amazing the level of clueness (it's a word, I tell you!) they seem to possess over at Gartner. No, really. If you don't read the article, at least read this bit:

Gartner has identified IT security technologies enterprises will need over the next five years - and other technologies most companies probably won't need. On the enterprise shopping list is host-based intrusion prevention, identity management, 802.1X authentication and gateway spam and AV scanning. Security technologies Gartner reckons most companies can safely do without include personal digital signatures, biometrics, enterprise digital rights management and 500-page security policies.

Their stab at Microsoft is par for the course, but this is just beautiful. :-)

It's true

[skinfitz]

You know I know a builder who doesn't use computers at all. You know what? Now I think about it, he's NEVER been haxx0red!

Makes perfect sense

[photon317]

A company will always be somewhere in the spectrum between two extremes:

1) They have knowledgeable, competent staff in the areas of computer security, who can get all the practical computer security that's possible with minimal money spent on 3rd party products and consulting.

2) They don't have anyone who knows what they're doing about security, so they just fall into a cycle of throwing money at the problem, fail to get it right, throw more money, repeat ad nauseum. The money gets spent on consultants and on whatever whizbang buzzword laden security product the PHCIO just heard about in his favorite IT Mag for Dummies.

Hence the companies that are the most secure tend to be the ones spending the least money on security. I get the feeling that shops which are closer to category 2 are going to read the Gartner summary and decide to cut their IT security budgets in half in hopes that fixes all their problems, instead of investigating the real underlying issues: hiring competent people who can do security.

Securing people is the hard part.

[uncoveror]

You can password protect every system in the place, install a firewall and every kind of malware scanner, but people can still be hacked.

If somebody calls the twinkiehead receptionist claiming to be from I.T., will she answer every question he asks? If an outsider claiming to be one of the big bosses calls the help desk saying he's locked out, and needs his password reset, will they do it for him? When the guys in the server room go to lunch, do they lock the door? If you sweet talk the fat old man dressed as a cop, will he use his own keycard to let you into a secured room?

People are easy to hack, and hard to secure, but training courses for them are a better investment than new whizbangs.

I'd like to know more about the study

[bushidocoder]

I'd like to know more how the percentage costs were distributed across companies by size and type of company. Also, what is considered a security cost? Are desktop OS upgrades from Win9x to XP lumped in there? I'd love to datamine their raw results and see what the real trends are.

Smaller companies (500) can oftentimes get by with a single fantastic main admin - As your company grows into the thousands, you probably need multiple main admins at multiple satellite offices, each with his or her own way of doing things. That can effect the results - at the same time, that can mitigate the effects of a less qualified admin.

Larger companies also oftentimes have non-sensical bureacratic IT policies . Smaller companies generally trust their individual admin's opinions more often regarding the purchase of new hardware/software, whereas larger corporations tend to make those types of decisions in the boardroom. I don't think there's a technical upside to that, but I might be wrong.

On the flipside, though, I suspect that smaller companies are more apt to hire underexperienced MCSE's as admins because I suspect their salary offerings won't be as high as companies large enough to have been burned multiple times before - but I could be wrong there too - maybe smaller companies have the edge on better people too.

Do companies that provide technical services (not neccesarily in IT - could be anything like civil engineering) gain anything from having a higher percentage of engineering minds on staff, or does that result in a higher rate of people "fiddling" with their computer in ways that make it more vulnerable.

What's the distribution of desktop OS' within these groups? Like WinXP or not, everyone has to at least admit that its substantially more secure than the Win9x series.

What percentage of companies take advantage of the strong group and ipsec policies in Active Directory? Do they make much difference? Has anyone not living in Redmond actually figured IP Sec group policies out yet?

In any case, I think there's way too many variables to start pointing fingers at Microsoft. Sure, their security policies have bordered on moronic at times, but honestly, to the best of my knowledge, there probably isn't a Linux desktop network large enough to compete with the top 100 largest Windows networks. Its a different ballgame at that scale and while the desktop Linux teams are paying close attention to the failures of Microsoft as they develop their products, we don't know how they'll rate until they're actually out there.