Survey On Security Investment Trends 67
whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations.
Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."
Return on investment (Score:2, Interesting)
Spending per capita versus (Score:3, Interesting)
The problem from the clients I've interacted with over the years has rarely been that they spend too much due to wanted X dollars per machine, but in their failure to realize that they too may be vuilnerable to threats that they think can't happen. As in many cases in this industry, the bulk of the problem lies about 20 inches in front of the screen. I've often found that some money spent on education is what is needed the most.
Article summary here (Score:2, Insightful)
Press release with summary of the article can be found...
Here [trusecure.com]
screw it, here is the summary (Score:3, Informative)
Some of the major findings of the Information Security Magazine survey include:
Re:screw it, here is the summary (Score:4, Insightful)
I'm an IT security professional, and this really scares me. There are gaping holes in most organisations internal security that far outweigh the threats from external sources. Examples include
Re:screw it, here is the summary (Score:1)
* Paranoid mobile-office/home access to the corporate network with virus scanners and what-have-you, while username/password for the mainframe travels in the clear on the corporate LAN.
Mod this guy up +1 Informative.
The biggest problem that gets overlooked in Corporate IT isn't so much remote users but instead the internal users. The biggest threat to any companies IP is that disgruntled employee who downloads a master client list or yanks some code from the file server and takes it with them.
The threat of a security breach has to considered BOTH internally and externally. The biggest danger isn't a script kiddie, it's that sales guy downstairs looking for an edge over the guy next to him so he can get more commission ( and believe me I've seen it happen ).
Re:screw it, here is the summary (Score:2, Insightful)
Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.
I have spoken.
Re:screw it, here is the summary (Score:1)
I don't see how this is a useful conclusion unless you differentiate how the money is spent. It's like saying, "We keep buying our executives gold-plated wastebaskets, so why isn't our share price going up?"
Don't read too much into it (Score:5, Insightful)
For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"
So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.
One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!
The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.
I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.
Re:Don't read too much into it (Score:3, Insightful)
That seems like the best data that could be gotten given that most companies that large would not respond or would be evasive in their answers.
Re:Don't read too much into it (Score:1)
Commitment (Score:1)
Without reading the article in detail (will do it after posting, how clever ;)) that conclusion seems utterly logic. Higher share probably reflects the fact that the company management has understood the importance of IT security. And this probably shows everywhere else in the organisation.
Blind faith in the firewall (Score:3, Informative)
Lies, damn lies, and statistics (Score:4, Interesting)
Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.
Re:Lies, damn lies, and statistics (Score:3, Funny)
Which mean my boss will be quoting it to me in the morning as a mantra, perfect and undeniable. It will take precedence over my decisions and all those who disagree with it will be fired, er, downsized.
Still can't defeat social engineering (Score:1)
On a semi-related tangent: Some of you might be interested in the account of how a UC San Diego student with a crummy GPA managed to fast-talked his way into a Silicon Valley investment-banking firm internship [livejournal.com].
Correlation != causality (Score:2)
Perhaps businesses that spend a larger share of their IT budget on security give it a larger priority in general.
Google Hacked? (Score:2)
They do have an incredible number of machines all connected directly to the internet.
Re:Google Hacked? (Score:1)
The new adwords doesn't give you absolute hits per day/week/month, but it does give you an indication of how popular keywords are, when it estimates your cost to run a keyword.
The old adwords is being deactivated very soon (if not already).
Corporations should DEMAND secure software! (Score:1)
Now, if my company went cold turkey on Windows and MS office it probably couldn't continue do business. That's right, our business would dry up, real fast. We could use Macs, of course (at huge transition expense, but doable), but we'd still need MS office. I'm an avid home user of OpenOffice (on Linux) - I love the program and have found it entirely serviceable as a general office tool, and it's a tool that could certainly be used by office workers. However, if a pool of secretaries and clerks had to deal with MS office attachments coming in all day, and had to convert all their outgoing work product to MS office-compatible files, that would be a real problem, operationally. For service companies and others doing a lot of business with the outside world (probably most of the corporate world), weaning off of MS office is not a real option at the present time.
So, MS has all these companies by the shorthairs. Microsoft doesn't really HAVE to give a damn, actually, about the security vulnerabilities, because they do not make IT vulnerable in any material sense. The customers have no real choice. Microsoft just has to make it easier to deploy their own products and incorporate more "features", and all the macro, scripting, component and plugin capability built into their products plays into that objective just fine.
Not that it's so terrible to be a MS customer. Their latest enterprise agreements were quite reasonable. You just have to keep paying, and most management accepts that. And you get pretty decent service from them, really. The customer takes all of this (security flaws included), with a big smile on its face! The result is a nice annuity from virtually every business organization in the world. Better than being a tax collector.
Security won't go anywhere, IMO, until either the government or the corporate users en masse get up and demand something better.
One thing I never understood is why Microsoft isn't vulnerable to class action lawsuits, like the pharmaceutical companies get hit with all the time. That would straighten them out real fast. The answer may be that the people who would do this suing would be corporate america, and it's against their ethic to bring these kinds of suits (they're stuck defending them most of the time).
Maybe if times get tougher, or business more competitive, companies will have to think about how much these problems are really costing them, and whether it makes economic sense to start doing something effective about it. I don't think we're there yet.
Last Post! (Score:1)
"user-friendly".
the old brochures, and stamp the words, "user-friendly" on the cover.
-- Bill Gates, Microsoft, Inc.
[Pot. Kettle. Black.]
- this post brought to you by the Automated Last Post Generator...