Slashdot Mirror
Businesses Spend 20% of IT Budgets on Security
Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."
Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday ... That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004.
That makes sense. I mean, nerf weapons count as a security expense, right?
The theory of relativity doesn't work right in Arkansas.
I have waisted more time making workarounds these "security fixes" then ever just because they
.NET on a Windows Server, which you can run the Apps on any other browser, and OS.
want to think they are safe but they never really consider the underlining problems with security.
90% of the Market is using the SAME FREAKING OS! So they work on blocking legit Web Mail so
Windows Viruses cant get in. Scanning all attachments to make sure there is no VBScript in Office
For Windows Documents. Trying to block sites that could possible be considered to have Windows Spyware.
Stop using freaking Windows all the time. Linux/Mac Workstations with VMWare to load Windows for those
Windows only apps, Stop wasting time with making Windows Console application and focus on Web Based Apps
Even if it is with
Of course gust going to a different OS isn't the only solution you need good firewalls and such. But...
The core of the problem is Windows. Get Rid of Windows or reduce it to more bit parts then your companies
security is so much better.
Yes PHB MBA wont get it, they are afraid of doing anything differently then the rest. IT people will resist
too because they don't know Linux or Macs as well as windows and are not willing to learn. But if you need
to focus on security you need be different then the rest.
You need to be flexible so If Macs or Linux becomes insecure (One to many features can cause that problem) then
your custom apps need to be multi-platform or at least cross compilable to move from one system to an other.
That is the correct direction for security. Not this Block you from getting you work done stuff.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up that much of the budget, except maybe if the surveyed all use Windoze...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I wonder how much of that spending went to training their employees that "password", "letmein" and lastly "123" are *NOT* the best passwords.
Sigs are too short to say anything truly profound so read the above post instead.
Since we now have a way to track security expenditures, we should have some way to track money spent on anti-spam measures. Considering how well the anti-spam hardware and software sells, I'll venture its a nontrivial expense, as well.
Even if you're just running some spiffy implementation of spam assasin, it still gets your time at some frequency to update the rules, amongst other things.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
At some of my consulting client sites, I've been underwhelmed by the quality of their "security analyst" staff. I've found that staff seemed to be more interested in putting their name on boilerplate "best practices" to pass off to others, rather than taking a hands-on, collaborative approach in working with sysadmins to really verify that their systems are secure.
Don't even get me started on social engineering and how circumventable many secured entry systems are. It's a sad thought that someone posing as a lowly janitor could have free rein in most data centers.
P.S. Security policy writers: why not start by giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone (including some sort of challenge/response question for them to answer)? Simple, inexpensive and effective compared to a lost or stolen keycard falling into the wrong hands.
It's the same thing people always do when they screw something up and don't know how to fix it - throw money at it. I love it when IT companies get paid to implement "security" features (speed bumps) then "service" (disable) them. It would be like funding an invasion of a country then paying for the reconstruction of all the shit you just blew up~
Haiku for you!
Do these firms spend these security dollars properly or do they just do as recommended by whichever software/analyst group wants to sell them more software/and or information on holes? How much of the $$$ designated forward security is worth it? Anyone have insight into that aspect?
and how much of that goes to the likes of Symantec?
The higher the technology, the sharper that two-edged sword.
How much of any amount that anyone spends on anything is "worth it"?
This issue is a bit more complicated than you think.
Keeping your faulty code as far from the eyes of competent software engineers as possible only leaves black hats to play with it? Who knew!
Haiku for you!
From my point of view, the increase in security budgets is due to the increase in number of ways a system can be attacked. There's no doubt that security is very important for businesses. It's better to spend more on security rather than being attacked and hacked or anything like that, which can lead to more losses.
hahahahahaha!
Twenty percent...
Oh, that's rich. Oh my. Oh. Hoo!
Flying Spaghetti Monster, I love surveys and statistics. I've worked in internal security for the past couple years at a big accounting firm and as a security consultant for many years before this.
Everyone knows they should be doing more to stay secure, but that fact is security doesn't do anything obviously positive for the bottom line. It's like flossing: most people floss when they have some chicken stuck between their molars but they don't do it every night. (Little tip for everyone trying to get money for security: give up on ROI; sell it like you're selling an insurance policy.)
When CIOs or CISOs get these surveys they fluff the numbers because they know they are supposed to be secure even if they have a hard time justifying security spending to the Board. "Oh yeah, we spent $X on Security. That's about 15-25% of our IT budget." What they don't say is that number includes the payroll (including salary, benefits, and payroll taxes) of all IT staff that have anything to do with security, audit, or regulatory compliance.
Contrast that with asking them what they spent on email they'd probably tell you about their Exchange license fees and maybe some server hardware. They'll leave out staffing costs, retention software and SAN, etc.
My guess is that the average IT budget is spending maybe -- MAYBE -- 10% on security, audit, and compliance related expenses.
I will admit here that I didn't RTFA. If the survey population was mostly US-based publicly traded companies that fall under SOX regulations the 20% number is a tiny bit more believable because CFOs and CEOs don't want to go to jail based on a fuckup by a minimum wage (in their frame of reference) IT staffer.
obviously no deficiencies vs. no obvious deficiencies
Yes, because no malware exists on any other systems
I see your informative link, and raise you a pithy comment.
The trickiest thing about security is that there's no reliable way to tell for sure whether it's worked or not. Any security system can be defeated by a properly designed attack, although for a given system this may never happen if there's no one who has both the resources and desire to defeat it.
But the trick is, a sufficiently well-planned attack can defeat security without anyone knowing it happened. So you can't really rely on a count like the number of detected intrusions (whether they were thwarted or not). The result of this fact is that there's a huge amount of crosstalk about "best practices" and what's Good Security and what's not. You could have a system that tracks N intrusions per year, and thwarts them all, but if there were 2N intrusions that were not detected (let alone thwarted)... you go around claiming you've got great security, but do you really?
This doesn't mean we shouldn't try to have security, obviously, but it does mean that security is a giant, tricky grey area.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Unless they count a UPS, RAID and tape drives as security
...they definitely fit into the FIPS 199 concept of the CIA triad , which stands for:
Confidentiality
Integrity
Availability
UPS and RAID are part of Availability and tape backups (disaster recovery) are considered under both Availability and Integrity.
I probably shouldn't admin this for fear of making my workplace look like an attractive target, but DAMN, there is no way that anything even remotely close to 20% of our IT budget is spent on security. I'd be surprised if it was 2%.
Obviously it does but it's pretty rare. The current danger is bored script kiddies and spammers that want to own as many boxes as possible in a short time. MS Windows is the soft target for these people, paticularly the hobby version and not the server version. While dictionary attacks work on other systems if the box has unfirewalled ssh with bad choices of usernames and passwords (and passwords instead of keys) it is slow even then and hopefully boring. Even when they get in they still need to ecscalate priveleges to root before they can even use it as a portscanner let alone anything else. In the time they take to get a poorly secured *nix box they could have taken over dozens of badly set up MS Windows boxes.
At first glance 20% sounds really high, but once you think about what could be mixed in with security, I'd believe 20%. No, it shouldn't be that high, but thanks to the great Internet thing, that's what we get.
...and its secure from the start.
Linux Admin: "BSD? lolwut? thats like that OS from the fifties right?"
OpenBSD Admin: *sigh*
Obligatory blog plug: http://www.caseybanner.ca/
In terms the Nubian can understand, that means we also have the matching shields and hats.
... Business spend 20% of their IT budgets - but only after spending 80% of the budget on MS software.
I can't believe business (we currently do) have "hiring/bonus/travel" freeze but don't think twice about spending money on MS Software specifically. I guess better to pay MS employees than your own.
In my place, the security and the windows department always have misunderstanding.It is not that security department does not want to beef up the security, it is because other department that want special "request".
...plugging holes in Windows
realkiwi
"If you spend more on coffee than on IT security, then you will be hacked," [Richard] Clarke said during his keynote address. "What's more, you deserve to be hacked."
"It doesn't cost enough, and it makes too much sense."
In the time they take to get a poorly secured *nix box they could have taken over dozens of badly set up MS Windows boxes.
That's to be expected. Given the market share disparity, even if every other factor was equivalent [0], you would still expect to see at least ca. 40:1 "pwnership ratio".
[0] And they're not. Without even bringing technical aspects into the discussion, Windows is already at a serious disadvantage to Linux in terms of "security" because if its user demographic.
You are taking a very shallow view of security here. Sure, controlling what services are listening is a good first step. But your biggest threat isn't the outside hacker. It's the inside guy. It's being able to -prove- who did what, when.
But once you move beyond that default install, and beyond shutting down unnecessary services, Linux isn't necessarily that "secure". The default install of Linux still has many problems that have to be addressed in order to have a secure system. Of course, so does Windows, but my point is that you cannot just load Linux, turn off services, and think you have anything like a secure system. In fact there are some advisable security requirements that are harder to implement on Linux than on Windows.
I have secured both to NSA recommended standards, and yes, in general I prefer Linux, but don't fool yourself that any like a default Linux install is inherently secure, especially when it comes to auditing and attribution.
A house divided against itself cannot stand.
Script kiddies and spammers are easy to deal with, they are the least of your problems. Your biggest problems are the pros, the insiders, your users, God, and Murphy.
A house divided against itself cannot stand.
Fedora, Red Hat Enterprise Linux, and CentOS come with a reasonable Net Filter (iptables) configuration by default that allows the necessary operations. It can be easily configured to allow extra ports, trusted interfaces, etc. It often gets turned off because it's supposedly too hard.
Fedora, RHEL, and CentOS also come with SE Linux enabled by default, it gets turned off more often than Net Filter.
I find it difficult to believe that any significant portion of IT budget goes to security when I see so many people turning off things that are free and relatively easy to use.
See http://etbe.coker.com.au/ for my blog.
Host based security is tricky because if the host is compromised, a good attacker will cover their tracks. It's harder, maybe even impossible, to cover your tracks when you are dealing with something transparent on the network, like a bump in the wire.
Detecting an attack is easier to do then thwarting an attack, and obviously so. What is sad is that many IT types would rather not even know about attacks because then they are liable. Ignorance, even in IT, is bliss.
I once tested a network monitor that I developed on a live accounting server. They were happy to let me test until I found 3 rogue connections that tracked to known attack vectors. The next day the IT manager disconnected the network monitor and replaced the accounting server with a new box. The old accounting server got formatted before we could see if the rogue connections were actual intrusions. If they weren't, they certainly were suspicious enough to pull the box and replace it.
Crazy question...since nobody else has bothered to ask it...is it possible that the average company feels they will appear more "privacy responsible" by claiming to spend a huge portion on security?
Somehow I'm picturing companies answering surveys with 20%, stock investors are probably hearing 2%-5%, and the people who actually make decisions are really putting in about 7%-12%.
- Nobody would know what RTFA meant if it didn't need to be said all the time
A common misconception but easily corrected by paying attention. The Apache vs Microsoft ISS example where market share is skewed in the opposite direction shows the market share thing is either a feeble excuse or complete and utter marketing bullshit. Furthurmore you HAVE to bring technical aspects into the discussion for it to be anything other than worthless fortunetelling.
Comment removed based on user account deletion
Seems to me that we're seeing another Y2k scenario - there is a real issue, and let's all overreact. Y2K was a profitable business for many consulting firms, contractors, and software vendors. The Y2K situation was something that needed to be addressed but by scaring C-level executives there's great profit to be made!
Read one of the security journals, look at the marketing hype coming out of Symantec, McAfee, and any number of security consulting firms - the primary message is fear. Fear of some unquantifiable buggiman come to get your precious data. Precious little data on how many monsters are out to get your data, but you best be afraid. And I agree - there is reason to be concerned, but no reason to be hysterical and dedicate one fifth of your IT budget to the nebulous Security functions.
How many of these security consultants are brand new? How many are receiving certifications from the very same groups that are attempting to promote the opinion that there's a security crisis? Can you fix security problems yourself, within your own firm? Damn likely. Many IT groups underestimate their abilities (or their senior managers do), and outsource a job that could, perhaps, be done better in house.
I realize that we can't ignore the security issue, just as we couldn't ignore Y2K. But hysterically throwing money onto the problem won't solve the problem either. Don't waste your money if you can avoid it. Don't just fall for the drama of the moment if at all possible
/* Dang, I can't type that well. */
There is not impossible if the budget will increase year by year as we know that security is very important in IT nowadays. A lot of testing has to perform to produce the secure system.All of these testing required a huge amount of budget.
it good thing, they use 1 over 5 in security budgect...security is most important part in today life...without it how can how can we protect our secretor information from others...include militarry...without it may be..cave man know how many tank we have and operate...it worth to pay for it... --- (=.=')0....got red for english
I found this book review which seems to suggest that nobody knows:
...security spending will take up 155% of IT's budget in the year 2015.
Either someone has to increase IT's budget before the 100% mark is reached in 2013, or the DBAs should be sent out to pillage from Accounts Receivable.
Shiny. Let's be bad guys...
A common misconception but easily corrected by paying attention.
Anyone who doesn't think market share is a significant contributor to a product's "security record", is a fool blinded by zealotry. There are so many critical aspects of "security" that are related to market share, it's simply an inescapable factor.
The Apache vs Microsoft ISS example where market share is skewed in the opposite direction shows the market share thing is either a feeble excuse or complete and utter marketing bullshit.
Those "paying attention" will notice that a) IIS has had better "security" for some time now and b) IIS and Apache have similar levels of marketshare. Even before then, cherrypicking an atypical example from a tiny subset of the market, does not make for a compelling argument (neither for nor against) in the general case. The plural of anecdote is not data.
Furthurmore you HAVE to bring technical aspects into the discussion for it to be anything other than worthless fortunetelling.
From a technical perspective, all the major platforms have been basically equivalent for over half a decade now (and before that, Windows NT was - "technically speaking" - streets ahead of unix variants, ironically refuting the whole "bad design" argument in one fell swoop). Further, the single biggest influence on security - users - is "non-technical".
Finally, your "marketshare is irrelevant" argument completely misses the point I was making - that even if all else was equal (ie: in any given situation, a Linux machine and a Windows machine had exactly the same probability of being compromised) you still expect to have "dozens" more Windows machines compromised than Linux machines, because they outnumber them ca. 40 to 1. Here, I'll even make a car analogy to emphasise the point; There are 100 identical cars in a garage. Ninety of them are owned by Caucasians, six by Asians, three by Negros and one by an Indian. Which ethnicity do you expect have the largest number of cars stolen from them ? Do you believe this is due to racism or statistics ?
Or, to put it another way, if you believe Windows - today - should have anything close to as "good" a "security record" as Linux, you fail at basic logic, reasoning and maths.
"rouge wi-fi access point"
Those red ones should be easy to spot.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I want to know why someone from India isn't already an Asian.
Or is 'Indian' to be taken in the same context as 'Negro'?
Shiny. Let's be bad guys...
20%? Seems high, but when you consider the three biggest parts of their "security" budget," antivirus software, firewalls, and proxy servers" it falls into place--especially since most survey-answerers would lump antivirus measures in with antispam.
Real security--IDS, systems and network monitoring, incident response, still gets short shrift--mostly a bit of lip service whenever Sarbanes-Oxley gets tossed around but no real support. It's hard to get a budget though, when security geeks aren't geared up for a proper risk-cost-analysis.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Too bad most companies vastly underspend on IT in general... so that "20% of all IT spending" is probably much smaller than it sounds.
Real security work is integrated. How do you measure, "decided to write it to avoid the possibility of buffer overflows" or "designed it to not execute foreign code when an ignorant user merely 'clicks' on something" in your budget?
They spill the bullshitbeans here:
They're just talking about how much was spent buying faux-security products. "Security enforcement technologies," sheesh!
If it said, "Spend 4 hours per employee training them to not download and execute arbitrary code from the web and CDs" I'd say it was a meaningful figure. But this analysis is merely a measurement of IT parasitism.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Now days internet become as an important part on the human life. everything is done by using internet and many companies do their business by using internet to market their products and services. every year.. every month and every days the business in internet are increasing.. and.. also the cybercrime... therefore the companies need to pay attention more about their security by find out the best solution to defend themselves from attacker or intruders.. as the result they need to spend more budget to get good security. the question is.. if the cost of cybercrime is increasing, are companies budgeting enough to defend themselves?:) here has an article about this topic.. http://www.darkreading.com/document.asp?doc_id=133814
A report this month by Computer Security Institute says that fewer than 9% of its respondents said they spend more than 10% of their IT budget on security. The bulk of respondents (page 7) said that the number is closer to 2-5%.
business people spent money for security while security make money from it....well, welcome to real world!it's all about money!
Hey, I accept that Windows has the lion's share of viruses. But the AC I was responding to claimed that viruses were all Bill's fault, and I wanted to disillusion him. Honestly, the viruses from pre-Windows days were the preferred examples for discrediting his claims.
Personally, I feel that the majority of viruses run on Windows for many reasons, including that it's a bigger target, a softer target, and, by and large, a dumber target. The average Linux user is much more tech-savvy than the average Windows user. If all of those tech-savvy people switched to Windows, they would still not be the people getting viruses. I run Linux on my laptop, and XP on my desktop (for games). I don't get viruses on either of them.
I see your informative link, and raise you a pithy comment.
And I'm the one being accused of being a fool blinded by zealotry? Some of us have used it a lot and read hundreds of the MS white papers to get around problems you know, we still use it in situations where it makes sense. It was good enough for what it did because it was a cheap OS running on cheap hardware however only MS marketing people furthur enhanced by drugs would be making that sort of claim in anything other than ignorance.
Remember that all else is not equal. A simplistic comparison of numbers is hardly going to get you anywhere because the mechanisim is not randomly attacking anything and getting the same sort of success rate for everything. It would be nice is all else was equal and the Microsoft products are steadily improving but they are still the soft target that appears to be chosen by preference - even most of the dictionary attacks via ssh that I see are attempting to log on as "Administrator". Attacks are squarely aimed at MS machines and you can tell because the differences between systems are such that different methods would have to be used. Other systems have other vunerablities and can still be insecure, but malware is a MS Windows problem.
Back to the ISS and apache thing: "cherrypicking an atypical example from a tiny subset of the market" was the quote above. You do realise that you are reading this on the internet? There are a lot of web servers out there so we are talking about an enormous sample size. When ISS was new it was attacked a lot despite having almost zero market share - it was attacked due to being a soft target in comparison to apache. That should illustrate what I mean about market share being of little relevance in the case of malware and a very simplisitic way of looking at things. Malware would have to be implemented in very different ways to run on other systems. As for the irrelevant and weird race example - please show a little more maturity - trying to make somebody angry to win an argument is really not worth it if that is what you were trying to do and it didn't work anyway.
The last little insult implying that a simplistic view is is the only approach of the intelligent person and thay I have failed because I consider a more complex model is also rather sad. Some things go beyond "Jim has more apples than Tony has oranges" - you are not going to solve security problems by doing such simplistic and usually irrelevant apple and orange comparisons. Similarly stating that MS Windows has a lot of malware because a lot of people like it is really ignoring the reasons why it is so easy for script kiddies and spammers to use the stuff and even write their own with very little knowlege of how the OS works.
I want to know why someone from India isn't already an Asian.
Because I was using it in the context of ethnicity, not what continent they were born on.
Or is 'Indian' to be taken in the same context as 'Negro'?
Uh, not sure what context you're inferring...
And I'm the one being accused of being a fool blinded by zealotry?
Yes. Because apparently you think, despite all contemporary OSes being basically equivalent in terms of capabilities and features - marketshare has no influence on a product's "security".
Some of us have used it a lot and read hundreds of the MS white papers to get around problems you know, we still use it in situations where it makes sense. It was good enough for what it did because it was a cheap OS running on cheap hardware however only MS marketing people furthur enhanced by drugs would be making that sort of claim in anything other than ignorance.
Windows NT, since day 1, has had a vastly more capable security infrastructure than standard UNIX. It was only with the advent of things like SELinux, that this changed.
Remember that all else is not equal.
I am well aware of this. Hence the reason I *specifically stated* that assumption to get across the point that even in an unrealistic scenario offering an advantage (in the context of actual reality) to Windows, you would still expect it to have a vastly higher rate of compromise simply because of the sheer numerical difference in machines. This was in reponse to your implication that such a result would be due to Windows being a "soft target".
A simplistic comparison of numbers is hardly going to get you anywhere because the mechanisim is not randomly attacking anything and getting the same sort of success rate for everything. It would be nice is all else was equal and the Microsoft products are steadily improving but they are still the soft target that appears to be chosen by preference - even most of the dictionary attacks via ssh that I see are attempting to log on as "Administrator". Attacks are squarely aimed at MS machines and you can tell because the differences between systems are such that different methods would have to be used. Other systems have other vunerablities and can still be insecure, but malware is a MS Windows problem.
Your flawed assumption is that Windows is chosen purely - or even primarily - because it is a "soft target" from a technical perspective, and not because of any of the numerous factors related directly to marketshare. *You* are the one exercising a "simplistic analysis" (based on outdated rhetoric, judging by the stereotypical Apache vs IIS example).
Back to the ISS and apache thing: "cherrypicking an atypical example from a tiny subset of the market" was the quote above. You do realise that you are reading this on the internet? There are a lot of web servers out there so we are talking about an enormous sample size.
If you think webservers make up a meaningful proportion of internet-connected computers, you're delusional. Further, by their nature (managed servers usually maintained by knowledgable individuals, monitored for abnormal behaviour, regularly updated - although these apply much more to Apache than IIS, hence raising another inherent disadvantage to it, even if the comparison was valid) they represent an atypical example of the average internet-connected machine.
When ISS was new it was attacked a lot despite having almost zero market share - it was attacked due to being a soft target in comparison to apache. That should illustrate what I mean about market share being of little relevance in the case of malware and a very simplisitic way of looking at things.
All it illustrates is your bias and flawed analytical skills. 4-5+ years ago IIS (<6) was available on a platform that covered ~90% of the market, was frequently installed without need by amateurs with no idea how to configure or maintain it, on unmanaged (or poorly managed) machines that saw little in the way even of basic maintenance, let alone proactive security-conscious configuration. Contrast this to Apache, which was running on ca. 2003 or earlier Linux distributions (already the bar is raised significantly higher) or some other unix variant (bar is rai
I must admit I have not heard such a statement from anybody that does a great deal of work with computers and do not expect to. On anything other than an extremely superficial level there are many differences.
I hate to use the "you must be new here" line but you have been greatly misled by somebody about this. For a variety of reasons the security model for Windows NT was originally lax and it did not matter a great deal initially. Windows NT has improved a great deal with respect to security since it's first release and more improvements will be added.
Another little insult added on the end. At least you are not going for the bullying questioning of people's mathematical ability etc as before. That would work against people with little confidence who have some degree of respect for you I suspect - do you try it a lot? Please argue the thing on it's merits instead of insults.
Let me try to explain why I consider this old argument to be wrong in a different way. If you wind back twelve years you will find examples of people saying that linux will be attacked by large numbers of viruses as soon as there are large numbers of linux hosts out there. The large numbers are there now but it did not happen due to what is being written off above as "technical reasons". Unfortunately with most subjects as soon as anyone considers how things happen it gets "technical" and comparison of the numbers of dissimilar things is just not good enough.
I must admit I have not heard such a statement from anybody that does a great deal of work with computers and do not expect to. On anything other than an extremely superficial level there are many differences.
For example ? What major, relevant architectural features are not found in all of the major OSes (and haven't been for the better part of a decade) ?
I hate to use the "you must be new here" line but you have been greatly misled by somebody about this. For a variety of reasons the security model for Windows NT was originally lax and it did not matter a great deal initially. Windows NT has improved a great deal with respect to security since it's first release and more improvements will be added.
The security model of NT has remained basically unchanged since 1993. There are certainly a few minor implementation and configuration details that have been improved (eg: running services as unprivileged users, UAC) but in the last ~15 years the same changes have happened on unix platforms to basically the same degree.
And, of course, let's not forget the how "lax" the security model of traditional unix is.
Another little insult added on the end.
It's not an insult - that would imply I made it in an attempt to offend - it's an observation of someone's mental state given the circumstances. I fail to see why I should refrain from calling someone acting foolishly, a fool.
At least you are not going for the bullying questioning of people's mathematical ability etc as before.
Again, simply an observation, not "bullying". Unless you can come up with some reason why that observation was incorrect, and even if all other variables were equal, one wouldn't expect to see compromises of Windows machines outnumbering Linux machines approximatley 40:1 ?
That would work against people with little confidence who have some degree of respect for you I suspect - do you try it a lot? Please argue the thing on it's merits instead of insults.
I try to "argue the thing on its merits", but as is typical with people like you, my arguments are ignored or dismissed as irrelevant (just as you have in this thread), in favour of a) biased, unsupported and poorly reasoned assertions and b) irrelevant, cherry-picked, frequently outdated anecdotes.
If you're so keen to "argue the merits", try an come up with some good reasons as to why marketshare should not be considered a significant factor. I've already used several examples as to how it is.
Try to talk about the subject matter instead of using methods to bully those with less confidence in their abilities or mistaken repect - it is uncivilised. While it is unlikely to work here with anybody that is familiar with more than one operating system and can see the holes I'll bet you use it in other forums or on other topics. The 1993 bit could throw the young off track a bit and make them question what they know - was that another little trick? There's a whole lot in earlier posts about your view of myself and very little about the subject matter. That tells me a lot about the writer but really nothing else of consequence. You have won this little game you are playing and I have already stated that I do not believe this old simplistic argumant that has shown no sign of occuring over more than a decade - I came here for something other than this little game that is a bit above kindergarden level.
No little bullying insults? It's all there above and a bit is quoted here:
No. Although when you choose to deceptively quote out of context, you can certainly make it look that way.
Try to talk about the subject matter instead of using methods to bully those with less confidence in their abilities or mistaken repect - it is uncivilised.
I am trying to talk about the subject matter. You, on the other hand, repeatedly ignore attempts to do so, preferring to concentrate on a deconstruction of how I choose to make my points. That is to say, essentially nothing more than ad hominem "arguments".
The 1993 bit could throw the young off track a bit and make them question what they know - was that another little trick?
Indeed. Damn those facts, they trickses us all the time.
There's a whole lot in earlier posts about your view of myself and very little about the subject matter.
In fact, my comments about attitude are explicitly conditional on whether or not certain mindsets are held. I'm not calling people with the opinions you have expressed fools for the hell of it, as an insult, I'm calling them fools for holding a biased opinion unsupported by fact or reasoned argument.
You have won this little game you are playing and I have already stated that I do not believe this old simplistic argumant that has shown no sign of occuring over more than a decade - I came here for something other than this little game that is a bit above kindergarden level.
Apparently you're a hypocrite as well. You attack me for not "talking about the subject matter" yet continually evade any attempts to engage upon it. Continually repeating different variations of "I think you're wrong" is not "talking about the subject matter", it's sticking your fingers in your ears and seeing who can yell louder.
No little bullying insults? It's all there above and a bit is quoted here:
No. Although when you choose to deceptively quote out of context, you can certainly make it look that way.
Try to talk about the subject matter instead of using methods to bully those with less confidence in their abilities or mistaken repect - it is uncivilised.
I am trying to talk about the subject matter. You, on the other hand, repeatedly ignore attempts to do so, preferring to concentrate on a deconstruction of how I choose to make my points.
The 1993 bit could throw the young off track a bit and make them question what they know - was that another little trick?
That depends on whether or not you consider a piece of factual information a "trick" or not.
There's a whole lot in earlier posts about your view of myself and very little about the subject matter.
In fact, my comments about attitude are explicitly conditional on whether or not certain mindsets are held. I'm not calling people with the opinions you have expressed fools for the hell of it, as an insult, I'm calling them fools for holding a biased opinion unsupported by fact or reasoned argument.
You have won this little game you are playing and I have already stated that I do not believe this old simplistic argumant that has shown no sign of occuring over more than a decade - I came here for something other than this little game that is a bit above kindergarden level.
Apparently you're a hypocrite as well. You attack me for not "talking about the subject matter" yet continually evade any attempts to engage upon it. Please note that simply repeating different variations of "you're wrong" is not "talking about the subject matter".
security matter are taken seriouly recently because many company are willing to spend investment on it, plus it's a must to have a good security system in business.I think the budget for security is increasing because of the problem with budgeting.Estimating your security costs can be difficult but if you know how to plan it more precisely there is no problem about the budgeting of IT budgets on security.
In 2007, most firms plan to spend between 7.5% and 9.0% of their IT budgets on security, regardless of their size, geography, and industry. This convergence of budgets points to the maturity of information security discipline and the solidification of the information security role within the organization. As security professionals grow from purely IT-centric and technology-focused roles into information-centric and risk-focused roles, they need a new set of tools and processes to fulfill their responsibilities. As a result, security spending is on the rise again, and organizations across North America and Europe will spend 7.91% of their IT budgets on security, compared with 7.75% in 2006.