Slashdot Mirror
Businesses Spend 20% of IT Budgets on Security
Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."
Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday ... That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004.
That makes sense. I mean, nerf weapons count as a security expense, right?
The theory of relativity doesn't work right in Arkansas.
I have waisted more time making workarounds these "security fixes" then ever just because they
.NET on a Windows Server, which you can run the Apps on any other browser, and OS.
want to think they are safe but they never really consider the underlining problems with security.
90% of the Market is using the SAME FREAKING OS! So they work on blocking legit Web Mail so
Windows Viruses cant get in. Scanning all attachments to make sure there is no VBScript in Office
For Windows Documents. Trying to block sites that could possible be considered to have Windows Spyware.
Stop using freaking Windows all the time. Linux/Mac Workstations with VMWare to load Windows for those
Windows only apps, Stop wasting time with making Windows Console application and focus on Web Based Apps
Even if it is with
Of course gust going to a different OS isn't the only solution you need good firewalls and such. But...
The core of the problem is Windows. Get Rid of Windows or reduce it to more bit parts then your companies
security is so much better.
Yes PHB MBA wont get it, they are afraid of doing anything differently then the rest. IT people will resist
too because they don't know Linux or Macs as well as windows and are not willing to learn. But if you need
to focus on security you need be different then the rest.
You need to be flexible so If Macs or Linux becomes insecure (One to many features can cause that problem) then
your custom apps need to be multi-platform or at least cross compilable to move from one system to an other.
That is the correct direction for security. Not this Block you from getting you work done stuff.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up that much of the budget, except maybe if the surveyed all use Windoze...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I wonder how much of that spending went to training their employees that "password", "letmein" and lastly "123" are *NOT* the best passwords.
Sigs are too short to say anything truly profound so read the above post instead.
Since we now have a way to track security expenditures, we should have some way to track money spent on anti-spam measures. Considering how well the anti-spam hardware and software sells, I'll venture its a nontrivial expense, as well.
Even if you're just running some spiffy implementation of spam assasin, it still gets your time at some frequency to update the rules, amongst other things.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
At some of my consulting client sites, I've been underwhelmed by the quality of their "security analyst" staff. I've found that staff seemed to be more interested in putting their name on boilerplate "best practices" to pass off to others, rather than taking a hands-on, collaborative approach in working with sysadmins to really verify that their systems are secure.
Don't even get me started on social engineering and how circumventable many secured entry systems are. It's a sad thought that someone posing as a lowly janitor could have free rein in most data centers.
P.S. Security policy writers: why not start by giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone (including some sort of challenge/response question for them to answer)? Simple, inexpensive and effective compared to a lost or stolen keycard falling into the wrong hands.
Get with it. Security is the way of the future. Lan-Administration is on its way down. Security is on its way up. If I had a dollar for every time a rouge wi-fi access point is set up that compromizes the whole network... and people using default passwords... anyway.. its no wonder companies need to hire 2 security guys to go around to tell everyone not to make thier password thier kids/pets name/birthday..
"A gentleman never strikes a lady with his hat on." - Fred Allen
It's the same thing people always do when they screw something up and don't know how to fix it - throw money at it. I love it when IT companies get paid to implement "security" features (speed bumps) then "service" (disable) them. It would be like funding an invasion of a country then paying for the reconstruction of all the shit you just blew up~
Haiku for you!
Do these firms spend these security dollars properly or do they just do as recommended by whichever software/analyst group wants to sell them more software/and or information on holes? How much of the $$$ designated forward security is worth it? Anyone have insight into that aspect?
and how much of that goes to the likes of Symantec?
The higher the technology, the sharper that two-edged sword.
Thanks, Microsoft, for innovating the virus industry into existence.
How much of any amount that anyone spends on anything is "worth it"?
This issue is a bit more complicated than you think.
From my point of view, the increase in security budgets is due to the increase in number of ways a system can be attacked. There's no doubt that security is very important for businesses. It's better to spend more on security rather than being attacked and hacked or anything like that, which can lead to more losses.
hahahahahaha!
Twenty percent...
Oh, that's rich. Oh my. Oh. Hoo!
Flying Spaghetti Monster, I love surveys and statistics. I've worked in internal security for the past couple years at a big accounting firm and as a security consultant for many years before this.
Everyone knows they should be doing more to stay secure, but that fact is security doesn't do anything obviously positive for the bottom line. It's like flossing: most people floss when they have some chicken stuck between their molars but they don't do it every night. (Little tip for everyone trying to get money for security: give up on ROI; sell it like you're selling an insurance policy.)
When CIOs or CISOs get these surveys they fluff the numbers because they know they are supposed to be secure even if they have a hard time justifying security spending to the Board. "Oh yeah, we spent $X on Security. That's about 15-25% of our IT budget." What they don't say is that number includes the payroll (including salary, benefits, and payroll taxes) of all IT staff that have anything to do with security, audit, or regulatory compliance.
Contrast that with asking them what they spent on email they'd probably tell you about their Exchange license fees and maybe some server hardware. They'll leave out staffing costs, retention software and SAN, etc.
My guess is that the average IT budget is spending maybe -- MAYBE -- 10% on security, audit, and compliance related expenses.
I will admit here that I didn't RTFA. If the survey population was mostly US-based publicly traded companies that fall under SOX regulations the 20% number is a tiny bit more believable because CFOs and CEOs don't want to go to jail based on a fuckup by a minimum wage (in their frame of reference) IT staffer.
obviously no deficiencies vs. no obvious deficiencies
The trickiest thing about security is that there's no reliable way to tell for sure whether it's worked or not. Any security system can be defeated by a properly designed attack, although for a given system this may never happen if there's no one who has both the resources and desire to defeat it.
But the trick is, a sufficiently well-planned attack can defeat security without anyone knowing it happened. So you can't really rely on a count like the number of detected intrusions (whether they were thwarted or not). The result of this fact is that there's a huge amount of crosstalk about "best practices" and what's Good Security and what's not. You could have a system that tracks N intrusions per year, and thwarts them all, but if there were 2N intrusions that were not detected (let alone thwarted)... you go around claiming you've got great security, but do you really?
This doesn't mean we shouldn't try to have security, obviously, but it does mean that security is a giant, tricky grey area.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Unless they count a UPS, RAID and tape drives as security
...they definitely fit into the FIPS 199 concept of the CIA triad , which stands for:
Confidentiality
Integrity
Availability
UPS and RAID are part of Availability and tape backups (disaster recovery) are considered under both Availability and Integrity.
I probably shouldn't admin this for fear of making my workplace look like an attractive target, but DAMN, there is no way that anything even remotely close to 20% of our IT budget is spent on security. I'd be surprised if it was 2%.
At first glance 20% sounds really high, but once you think about what could be mixed in with security, I'd believe 20%. No, it shouldn't be that high, but thanks to the great Internet thing, that's what we get.
...and its secure from the start.
Linux Admin: "BSD? lolwut? thats like that OS from the fifties right?"
OpenBSD Admin: *sigh*
Obligatory blog plug: http://www.caseybanner.ca/
In terms the Nubian can understand, that means we also have the matching shields and hats.
... Business spend 20% of their IT budgets - but only after spending 80% of the budget on MS software.
I can't believe business (we currently do) have "hiring/bonus/travel" freeze but don't think twice about spending money on MS Software specifically. I guess better to pay MS employees than your own.
...all our Windows systems.
Now I clearly see why nobody wants us to move away from the system that needs most protection.
...and why Symantec, McAfee and security experts tries to tell everyone that Linux and OS X are as much in danger as Windows...
In my place, the security and the windows department always have misunderstanding.It is not that security department does not want to beef up the security, it is because other department that want special "request".
...plugging holes in Windows
realkiwi
i think we should allocate some fund for the security because without any security we can't use the system safely and always need to be afraid of the hackers and viruses that going to attack our system at any time.
"If you spend more on coffee than on IT security, then you will be hacked," [Richard] Clarke said during his keynote address. "What's more, you deserve to be hacked."
"It doesn't cost enough, and it makes too much sense."
You are taking a very shallow view of security here. Sure, controlling what services are listening is a good first step. But your biggest threat isn't the outside hacker. It's the inside guy. It's being able to -prove- who did what, when.
But once you move beyond that default install, and beyond shutting down unnecessary services, Linux isn't necessarily that "secure". The default install of Linux still has many problems that have to be addressed in order to have a secure system. Of course, so does Windows, but my point is that you cannot just load Linux, turn off services, and think you have anything like a secure system. In fact there are some advisable security requirements that are harder to implement on Linux than on Windows.
I have secured both to NSA recommended standards, and yes, in general I prefer Linux, but don't fool yourself that any like a default Linux install is inherently secure, especially when it comes to auditing and attribution.
A house divided against itself cannot stand.
Fedora, Red Hat Enterprise Linux, and CentOS come with a reasonable Net Filter (iptables) configuration by default that allows the necessary operations. It can be easily configured to allow extra ports, trusted interfaces, etc. It often gets turned off because it's supposedly too hard.
Fedora, RHEL, and CentOS also come with SE Linux enabled by default, it gets turned off more often than Net Filter.
I find it difficult to believe that any significant portion of IT budget goes to security when I see so many people turning off things that are free and relatively easy to use.
See http://etbe.coker.com.au/ for my blog.
Host based security is tricky because if the host is compromised, a good attacker will cover their tracks. It's harder, maybe even impossible, to cover your tracks when you are dealing with something transparent on the network, like a bump in the wire.
Detecting an attack is easier to do then thwarting an attack, and obviously so. What is sad is that many IT types would rather not even know about attacks because then they are liable. Ignorance, even in IT, is bliss.
I once tested a network monitor that I developed on a live accounting server. They were happy to let me test until I found 3 rogue connections that tracked to known attack vectors. The next day the IT manager disconnected the network monitor and replaced the accounting server with a new box. The old accounting server got formatted before we could see if the rogue connections were actual intrusions. If they weren't, they certainly were suspicious enough to pull the box and replace it.
Crazy question...since nobody else has bothered to ask it...is it possible that the average company feels they will appear more "privacy responsible" by claiming to spend a huge portion on security?
Somehow I'm picturing companies answering surveys with 20%, stock investors are probably hearing 2%-5%, and the people who actually make decisions are really putting in about 7%-12%.
- Nobody would know what RTFA meant if it didn't need to be said all the time
Comment removed based on user account deletion
Seems to me that we're seeing another Y2k scenario - there is a real issue, and let's all overreact. Y2K was a profitable business for many consulting firms, contractors, and software vendors. The Y2K situation was something that needed to be addressed but by scaring C-level executives there's great profit to be made!
Read one of the security journals, look at the marketing hype coming out of Symantec, McAfee, and any number of security consulting firms - the primary message is fear. Fear of some unquantifiable buggiman come to get your precious data. Precious little data on how many monsters are out to get your data, but you best be afraid. And I agree - there is reason to be concerned, but no reason to be hysterical and dedicate one fifth of your IT budget to the nebulous Security functions.
How many of these security consultants are brand new? How many are receiving certifications from the very same groups that are attempting to promote the opinion that there's a security crisis? Can you fix security problems yourself, within your own firm? Damn likely. Many IT groups underestimate their abilities (or their senior managers do), and outsource a job that could, perhaps, be done better in house.
I realize that we can't ignore the security issue, just as we couldn't ignore Y2K. But hysterically throwing money onto the problem won't solve the problem either. Don't waste your money if you can avoid it. Don't just fall for the drama of the moment if at all possible
/* Dang, I can't type that well. */
There is not impossible if the budget will increase year by year as we know that security is very important in IT nowadays. A lot of testing has to perform to produce the secure system.All of these testing required a huge amount of budget.
it good thing, they use 1 over 5 in security budgect...security is most important part in today life...without it how can how can we protect our secretor information from others...include militarry...without it may be..cave man know how many tank we have and operate...it worth to pay for it... --- (=.=')0....got red for english
I found this book review which seems to suggest that nobody knows:
...security spending will take up 155% of IT's budget in the year 2015.
Either someone has to increase IT's budget before the 100% mark is reached in 2013, or the DBAs should be sent out to pillage from Accounts Receivable.
Shiny. Let's be bad guys...
20%? Seems high, but when you consider the three biggest parts of their "security" budget," antivirus software, firewalls, and proxy servers" it falls into place--especially since most survey-answerers would lump antivirus measures in with antispam.
Real security--IDS, systems and network monitoring, incident response, still gets short shrift--mostly a bit of lip service whenever Sarbanes-Oxley gets tossed around but no real support. It's hard to get a budget though, when security geeks aren't geared up for a proper risk-cost-analysis.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Too bad most companies vastly underspend on IT in general... so that "20% of all IT spending" is probably much smaller than it sounds.
Real security work is integrated. How do you measure, "decided to write it to avoid the possibility of buffer overflows" or "designed it to not execute foreign code when an ignorant user merely 'clicks' on something" in your budget?
They spill the bullshitbeans here:
They're just talking about how much was spent buying faux-security products. "Security enforcement technologies," sheesh!
If it said, "Spend 4 hours per employee training them to not download and execute arbitrary code from the web and CDs" I'd say it was a meaningful figure. But this analysis is merely a measurement of IT parasitism.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Now days internet become as an important part on the human life. everything is done by using internet and many companies do their business by using internet to market their products and services. every year.. every month and every days the business in internet are increasing.. and.. also the cybercrime... therefore the companies need to pay attention more about their security by find out the best solution to defend themselves from attacker or intruders.. as the result they need to spend more budget to get good security. the question is.. if the cost of cybercrime is increasing, are companies budgeting enough to defend themselves?:) here has an article about this topic.. http://www.darkreading.com/document.asp?doc_id=133814
A report this month by Computer Security Institute says that fewer than 9% of its respondents said they spend more than 10% of their IT budget on security. The bulk of respondents (page 7) said that the number is closer to 2-5%.
From another story on Slashdot, it appears that the State of Ohio had spent much less than average on IT security in the past, but now plans on spending an additional US$8 million because of their foolishly frugal ways.
At Costco, it's about 0.5%
business people spent money for security while security make money from it....well, welcome to real world!it's all about money!
I spent 3 years transforming my security department from an IT function to a business function. The VP Technology thought security was simply firewalls and IDS. Throw more at the problem and you are done. I made the case to the company President that my team can not do their job if the VP of IT gets to decide acceptable risk for the whole company. I managed to sell him on the idea and today IT Security works for the General Consul. We don't press buttons on firewalls, but instead we act as the GAO for IT in the company. We do audits along with the guys from Finance and present those reports to the General Consul who then looks at the liability to the company. Then we present our findings to the entire C-Suite who is then advised by the General Consul of the liability that can arise from not correcting our findings. Official minutes are recorded and anyone who votes not to correct an issue will be on the record. At our first presentation the CFO was the first to agree with our General Consul and authorized $2 million in spending for IT to get extra personnel and equipment. As it turned out the VP never submitted any budget requests for security or to even beef up the mail servers, but his bonus was pretty large (thanks to the guys in financial audit for finding that one).
There are several problems that contribute to security not receiving the attention it should. Most firewall jockeys are at the staff level in an organization. If you're lucky you might be a security manager reporting to the IT Director. If this is the case you are probably not getting the budget you require because you are talking tech to another techie who doesn't really convey the risk to VP and C-Level management. When was the last time someone sat down with the CFO or other execs and expressed concern over the accounting system? Could you carry on a business conversation with one of the executives? They don't want to hear about buffer overflows, and spyware. They want to hear about financial risk, such as a "thing" (a worm or virus to us) that could take down the servers that run the assembly line in the factory and cost them $100k per hour and how spending $25k on a "thing" (antivirus, whatever) fixes a $100k/hr risk. Talk to other people in your company and find out what would really ruin their day.
My advice to any people about to graduate from high school who want to go into security, find yourself a community college and get an A.S. in Information Security, then get a BA in Business (if you can concentrate in management or finance do it). Then one day go on for a MBA or JD if you want to be VP of Compliance or VP of Security Audit or join the C-Suite of executives. IT Security is no longer just a technical discipline, but a service to the business. We should begin changing with the times.
security matter are taken seriouly recently because many company are willing to spend investment on it, plus it's a must to have a good security system in business.I think the budget for security is increasing because of the problem with budgeting.Estimating your security costs can be difficult but if you know how to plan it more precisely there is no problem about the budgeting of IT budgets on security.
In 2007, most firms plan to spend between 7.5% and 9.0% of their IT budgets on security, regardless of their size, geography, and industry. This convergence of budgets points to the maturity of information security discipline and the solidification of the information security role within the organization. As security professionals grow from purely IT-centric and technology-focused roles into information-centric and risk-focused roles, they need a new set of tools and processes to fulfill their responsibilities. As a result, security spending is on the rise again, and organizations across North America and Europe will spend 7.91% of their IT budgets on security, compared with 7.75% in 2006.