Businesses Spend 20% of IT Budgets on Security 141
Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."
Re:I call bull (Score:5, Informative)
When I think about it, it probably isn't 20% of the total expenses, but it would have to be close.
Re:I call bull (Score:3, Informative)
> that much of the budget, except maybe if the surveyed all use Windoze...
I'm sure a significant percentage of them use Windows, but what you're probably missing is that a lot of the security stuff that's typically sold to corporations (including, even, firewall solutions) is sold on a subscription basis, so that you have to pay every n (typically, twelve) months just to keep the same level of protection that you already had.
Most other computer stuff is licensed for an indefinite period of time, so if a given system has a lifespan of five years, you only pay for the hardware, OS, office suite, and so forth every five years, but you pay for the security stuff five times as often. So it could cost 1/20th as much as the rest and still take up 1/5th of the budget.
For instance, you might buy a workstation for $500, which comes with Windows XP included and a keyboard and mouse. To go along with that you might also buy a $250 LCD and a $650 license for MS Office, and you might use the thing for five years. During that time you might pay for Norton Internet Security every year, at about $70 a pop. Those aren't atypical figures these days, but if you multiply it out, security is one-fifth of the total budget for that workstation over five years.
It does get a little weirder when line-of-business software is included (you know, stuff in the "let us know you're interested and we'll assign a sales team" price range), because that stuff usually has annually-renewed maintenance contracts on everything, including the hardware. OTOH, security solutions at that kind of level tend to be more expensive as well, e.g., the vendor might roll one of Symantec's enterprise-level security products right into your plan and consider it a required part of the solution.
Re:I call bull (Score:2, Informative)
E-mail filtering: Just some spamfiltering and clamav so we don't propagate virusses in case somebody decides to forward it
Web content filtering: A big loss in $$$ since every single one of your employees WILL find a way around it which reduces security to even less since they'll be using less controllable techniques while having to look for it on Warez sites (which do have a lot of issues with random virusses etc.)
Anti-virus: Sits in my e-mail, otherwise not necessary. Just in case I DO need it, I have ClamAV on stand-by to scan all user directories on my XRAID
Firewalls: A single firewall cluster in front of my boxes (which all have a PUBLIC IP) will do, thank you, if you decide to have it on each box, see my comment on Web content filtering since they can't run any ol' program (even if it's just a game)
Administering the products: Send false positives through with a TAG or even MIME-attached, strip the attachment if it contains a virus, SpamAssassin, ClamAV, Amavisd and Postfix CORRECTLY set up will do that for you. So far no false positives though.
Server for WSUS costs you that much money? Distributing packages doesn't cost me anything and I think an update service like that should come for free as courtesy for buying so much client licenses. I have Mac OS X Software Update (free with Server) and a local repository of relevant Fedora Core and Debian updates on the same server which I also use for developing and other stuff, it also does my tape library and backups at night. Ok, the hardware and license had to be bought and if you have a really large organization (+10,000) you might need a separate server to do that but I see many running really large (100's of GB) public repositories (look at all the Univ entries for any distro) and they run on one or two servers for constant >100MBit loads.
Wireless networking? Why worry. Rather worry about ANY laptop whether wireless or wired. Make sure the wireless clients don't get on your local network, use WPA with RADIUS (did I mention that's usually free and supported on every cheap or expensive wlan router) and treat them like you would any other VPN connection. What, you don't trust the computers on the VPN either do you? Why would you? Just because they're your laptops doesn't mean the employee's kids don't play with it once he gets home!
Re:I call bull (Score:3, Informative)
AV , Client firewall, Integrity checkers and patch deployment, VPN, Firewall, Compliance, etc in a Windows shop ramp up to somewhere around there. Actually, quite often they are even more.
Depends on your view of "security" (Score:4, Informative)
You are taking a very shallow view of security here. Sure, controlling what services are listening is a good first step. But your biggest threat isn't the outside hacker. It's the inside guy. It's being able to -prove- who did what, when.
But once you move beyond that default install, and beyond shutting down unnecessary services, Linux isn't necessarily that "secure". The default install of Linux still has many problems that have to be addressed in order to have a secure system. Of course, so does Windows, but my point is that you cannot just load Linux, turn off services, and think you have anything like a secure system. In fact there are some advisable security requirements that are harder to implement on Linux than on Windows.
I have secured both to NSA recommended standards, and yes, in general I prefer Linux, but don't fool yourself that any like a default Linux install is inherently secure, especially when it comes to auditing and attribution.
Re:Security is tricky... (Score:2, Informative)
Security isn't "tricky" or a "grey area". Security is awareness. Understanding how and where the machines on your network communicate is usually all that's required. If you take the time to study the traffic flows every day, monitor your choke points, and respect the computing requirements of your users (who, by the way, are the business), you have a very good chance of thwarting a targeted attack or spotting a previously successful one (remember that anyone who gets in to your network has to get back out).
The best security tools are free. What costs are bodies. Salary plus benefits for a decent analyst can top $150k/yr. Good security engineers or consultants can be twice that or more. I don't know if those costs are figured into TFA percentage. Then there's the cost of compliance - which is a real cost. Audits and compliance take bodies from other projects and initiatives, alter business timelines, and add complexity to the infrastructure. Anyone who's been through a PCI audit can attest to the expense. Audit costs leave very little for machines and software.
Want money for security? Show your managers where the weak spots are. Where is your machine and software inventory? What are your critical systems? How is your patch management system working? Are your IDS's tuned to your inventory and patch level? What about the change management system? Do you know what changes have been made on your network? Do you have an accounting of all the ACL's in your firewalls and routers? Do you know how traffic flows in your network? Can you demonstrate it? The business parlance for these things today is "process". Do you have a Security Process? Want money? Demonstrate your Process....
Regards,
t-e