Businesses Spend 20% of IT Budgets on Security

Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."

that's how we roll around here

[User+956]

Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday ... That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004.

That makes sense. I mean, nerf weapons count as a security expense, right?

Re:that's how we roll around here

[Architect_sasyr]

Definitely do. It's the only way I can keep the damn bean counters from getting into mission control!

To bad most of it is Stupid Security.

[jellomizer]

I have waisted more time making workarounds these "security fixes" then ever just because they
want to think they are safe but they never really consider the underlining problems with security.
90% of the Market is using the SAME FREAKING OS! So they work on blocking legit Web Mail so
Windows Viruses cant get in. Scanning all attachments to make sure there is no VBScript in Office
For Windows Documents. Trying to block sites that could possible be considered to have Windows Spyware.

Stop using freaking Windows all the time. Linux/Mac Workstations with VMWare to load Windows for those
Windows only apps, Stop wasting time with making Windows Console application and focus on Web Based Apps
Even if it is with .NET on a Windows Server, which you can run the Apps on any other browser, and OS.

Of course gust going to a different OS isn't the only solution you need good firewalls and such. But...
The core of the problem is Windows. Get Rid of Windows or reduce it to more bit parts then your companies
security is so much better.

Yes PHB MBA wont get it, they are afraid of doing anything differently then the rest. IT people will resist
too because they don't know Linux or Macs as well as windows and are not willing to learn. But if you need
to focus on security you need be different then the rest.

You need to be flexible so If Macs or Linux becomes insecure (One to many features can cause that problem) then
your custom apps need to be multi-platform or at least cross compilable to move from one system to an other.
That is the correct direction for security. Not this Block you from getting you work done stuff.

Re:To bad most of it is Stupid Security.

[CaptainPatent]

Actually, a linux box in the hands of a clueless user can be just as dangerous if not more so than a windows box in the same hands.

The real threat is ignorance here. That includes buying unnecessary security equipment, operating and running the system itself, and improperly using software firewall and routing.

Re:To bad most of it is Stupid Security.

[Lobster+Quadrille]

As the head of my company's security department, the problem does not lie with Windows.

I am no fan of Microsoft- after much fighting with my boss over it, I'm the only person in a mid-sized web design company running Linux on his desktop, but the core problem has nothing to do with Windows- at least not solely.

The problem comes down to several things:

Incompetence of users: This is the only place the the end OS really makes a difference, but all in all, I'd rather see the morons using Windows than Linux, just because they are already familiar with it. It's pretty tough to convince the uppers to retrain an entire company. That time and effort could in fact be better spent working on virus protection, network monitoring, etc., which any responsible security team still needs to do.

Pre-existing infrastructure: Companies start small, usually with the IT department consisting of a guy who sort of knows how to build computers. As the company grows, the infrastructure is forced to expand with it. Generally, this invlolves hacks and patching things together until it reaches a breaking point and a real network engineer is brought in. The problem there is that he still needs to keep everything up and running. You can't exactly take down a network, lead/customer management database, external web applications, etc, rebuild them all from scratch, then move everybody over. If the company can't maintain a baseline of functionality, than a security/network overhaul won't do anybody any good.

Cluelessness of management: Spending money on security rarely affect's the company's bottom end directly. The only way to get them to take security seriously is to show them what it will cost them to not do so. This isn't as hard as it sounds though- if you can convince upper management to participate in creating company security policy, you can start to show them that A) security involves not just confidentiality, but also availability and integrity of assets- two aspects that are far more critical, particularly in upper management's eyes. B) Protection of those assets is the responsibility of management. Hiring a security guy will do no good unless he has support from the top. When something goes wrong, they may have a patsy, but they suddenly won't have that database of customer information.

It's nice to hear that companies are spending 20% of IT budgets on security, though I don't believe it. Regardless, there is definitely a positive trend. The companies are starting to realize that security isn't something you can pick up for the price of a firewall and a pentest- it's a cyclical process involving constant auditing, defining and refining processes in all aspects of the company (which is why management support is so critical), and most importantly, fixing problems WITHOUT interrupting the normal flow of business.

And then what part goes to anti-spam?

[damn_registrars]

Since we now have a way to track security expenditures, we should have some way to track money spent on anti-spam measures. Considering how well the anti-spam hardware and software sells, I'll venture its a nontrivial expense, as well.

Even if you're just running some spiffy implementation of spam assasin, it still gets your time at some frequency to update the rules, amongst other things.

"Security" analysts

[Da_Biz]

At some of my consulting client sites, I've been underwhelmed by the quality of their "security analyst" staff. I've found that staff seemed to be more interested in putting their name on boilerplate "best practices" to pass off to others, rather than taking a hands-on, collaborative approach in working with sysadmins to really verify that their systems are secure.

Don't even get me started on social engineering and how circumventable many secured entry systems are. It's a sad thought that someone posing as a lowly janitor could have free rein in most data centers.

P.S. Security policy writers: why not start by giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone (including some sort of challenge/response question for them to answer)? Simple, inexpensive and effective compared to a lost or stolen keycard falling into the wrong hands.

Re:I call bull

[teh+moges]

I'm not sure about you, but we (Windows mostly) use email filtering, web content filtering, anti virus and firewalls. Then you have the personal costs of running, maintaining and administering these products (such as releasing false positive emails, updating anti virus). Then I suppose you can count the fact we have a server for WSUS as an ongoing cost. We have very little in the way of wireless networks, but if we did, they would be another cost (more administration then anything).

When I think about it, it probably isn't 20% of the total expenses, but it would have to be close.

lol

[spykemail]

It's the same thing people always do when they screw something up and don't know how to fix it - throw money at it. I love it when IT companies get paid to implement "security" features (speed bumps) then "service" (disable) them. It would be like funding an invasion of a country then paying for the reconstruction of all the shit you just blew up~

Re:I call bull

[jonadab]

> Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up
> that much of the budget, except maybe if the surveyed all use Windoze...

I'm sure a significant percentage of them use Windows, but what you're probably missing is that a lot of the security stuff that's typically sold to corporations (including, even, firewall solutions) is sold on a subscription basis, so that you have to pay every n (typically, twelve) months just to keep the same level of protection that you already had.

Most other computer stuff is licensed for an indefinite period of time, so if a given system has a lifespan of five years, you only pay for the hardware, OS, office suite, and so forth every five years, but you pay for the security stuff five times as often. So it could cost 1/20th as much as the rest and still take up 1/5th of the budget.

For instance, you might buy a workstation for $500, which comes with Windows XP included and a keyboard and mouse. To go along with that you might also buy a $250 LCD and a $650 license for MS Office, and you might use the thing for five years. During that time you might pay for Norton Internet Security every year, at about $70 a pop. Those aren't atypical figures these days, but if you multiply it out, security is one-fifth of the total budget for that workstation over five years.

It does get a little weirder when line-of-business software is included (you know, stuff in the "let us know you're interested and we'll assign a sales team" price range), because that stuff usually has annually-renewed maintenance contracts on everything, including the hardware. OTOH, security solutions at that kind of level tend to be more expensive as well, e.g., the vendor might roll one of Symantec's enterprise-level security products right into your plan and consider it a required part of the solution.

Re:pebkac security patch

[UncleTogie]

I wonder how much of that spending went to training their employees that "password", "letmein" and lastly "123" are *NOT* the best passwords.

Just happened today: The uber-friendly shopkeeper next door asked me to help him void a transaction. When the password prompt came up, he looked at me and simply said, "1-2-3-4-5."

I couldn't resist. I looked back at him and said, "That's funny. I've got the same combination on my luggage..."

Re:pebkac security patch

[jonadab]

> I wonder how much of that spending went to training their employees

On average, not nearly enough. Employee training practically always gets shortchanged, and I'm not just talking about computer security, or even just about computer technology generally. It's true across the board in most industries.

Worse, in a lot of industries, the money that _is_ budgetted for employee training gets mostly wasted on worthless nonsense, not spent on the training the employees could actually *use*.

Security is tricky...

[Dirtside]

The trickiest thing about security is that there's no reliable way to tell for sure whether it's worked or not. Any security system can be defeated by a properly designed attack, although for a given system this may never happen if there's no one who has both the resources and desire to defeat it.

But the trick is, a sufficiently well-planned attack can defeat security without anyone knowing it happened. So you can't really rely on a count like the number of detected intrusions (whether they were thwarted or not). The result of this fact is that there's a huge amount of crosstalk about "best practices" and what's Good Security and what's not. You could have a system that tracks N intrusions per year, and thwarts them all, but if there were 2N intrusions that were not detected (let alone thwarted)... you go around claiming you've got great security, but do you really?

This doesn't mean we shouldn't try to have security, obviously, but it does mean that security is a giant, tricky grey area.

Re:Hahaha

[ScrewMaster]

And you so absofuckinglutely missed the point it's almost hard to bother replying. You seem confused about the term "profit center" which has a very specific meaning in most businesses. I didn't say that advanced technology was useless or doesn't help industry: I've been an industrial software developer for damn near thirty of those years, so there's no reason to get testy. I suspect you're just being deliberately obtuse so's you can use the word "absofuckinglutely". Good for you. If you'd actually grasped what I was trying to say, you'd have understood that I was referring to the perspective of the suits running a company, not the utility of information technology in general.

Look, you run a company. How do you see the world? You see it in terms of money coming in ... and money going out. Those guys on the production floor making product? Money coming in. That programmer cranking out code for the latest release of the company's premier software product? Money coming in. That's what the corporate executive sees as a "profit making center", and that's how I defined it.

Now, let's take a look at some other internal functions in any company:

Sales & Marketing? Not a profit center, but without it there'll be no profits, plus which suits understand those departments. They generally haven't a clue how design and production work.

Accounting? Not a profit center ... but even a suit sees that as money well spent so he can see how much money he has accumulated. Besides, there are numerous laws which require compliance.

Customer support? Not a profit center. "Too bad our drain-bamaged customers can't handle all their own problems, we'd save a bundle. No, we're not going to upgrade the call center, matter of fact we're shipping it to India next month. Start training Habib here ... he's replacing you."

Internal IT department? Not a profit center. "Too bad all those stupid people that work for us can't handle their own problems. We'd save a bundle. Also, you gotta watch those IT guys, always wanting to spend our money on the latest fancy computer toys."

So far as external threats are concerned ... who cares? "What? You want me to authorize 250 grand for security upgrades to fend off potential threats? Forget it, I'd have to reduce our bonuses this year and that sure ain't gonna happen ... here's fifty K and you're lucky to get that. Besides, I don't understand all this "black hat" "white hat" shit. What's a firewall, anyway? I think my car has one. My dog had worms once."

That's what I'm talking about. I'm sorry if you're an IT guy and took offense, but the facts are clear: IT and its very important offshoot, network security are simply not in the average PHBs top ten list of important areas to spend money. There are some corporations that get it, and make themselves into hard targets, but not enough. Not nearly enough. Part of the problem is that good security is more a matter of good people that it is good equipment.

Depends on your view of "security"

[pedestrian+crossing]

A clueless Admin hosting something maybe. But by default install of Desktop Linux those services that can be cracked if not correctly setup are not running.

You are taking a very shallow view of security here. Sure, controlling what services are listening is a good first step. But your biggest threat isn't the outside hacker. It's the inside guy. It's being able to -prove- who did what, when.

A defualt install of Desktop Linux is far more secure and safe then the default install of Windows.

But once you move beyond that default install, and beyond shutting down unnecessary services, Linux isn't necessarily that "secure". The default install of Linux still has many problems that have to be addressed in order to have a secure system. Of course, so does Windows, but my point is that you cannot just load Linux, turn off services, and think you have anything like a secure system. In fact there are some advisable security requirements that are harder to implement on Linux than on Windows.

I have secured both to NSA recommended standards, and yes, in general I prefer Linux, but don't fool yourself that any like a default Linux install is inherently secure, especially when it comes to auditing and attribution.

Honesty?

[Speed+Pour]

Crazy question...since nobody else has bothered to ask it...is it possible that the average company feels they will appear more "privacy responsible" by claiming to spend a huge portion on security?

Somehow I'm picturing companies answering surveys with 20%, stock investors are probably hearing 2%-5%, and the people who actually make decisions are really putting in about 7%-12%.