Survey On Security Investment Trends - Slashdot

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

×

Survey On Security Investment Trends 67

Posted by Hemos on Thursday October 03, 2002 @03:18AM from the how-does-it-work-and-measure-it dept.

whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations. Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."

This discussion has been archived. No new comments can be posted.

Survey On Security Investment Trends

Load All Comments

Search 67 Comments Log In/Create an Account

Comments Filter:

Return on investment (Score:2, Interesting)

by k0ala ( 199123 ) writes:

Typical of major corporations to try and drive the bottom line by cost cutting in areas that in todays tech environment are probably the most dangerous over the long term. Of course when something happens its simple to blame human error and crucify the IT department for not doing thier job.
Spending per capita versus (Score:3, Interesting)

by bluephone ( 200451 ) writes: <greyNO@SPAMburntelectrons.org> on Thursday October 03, 2002 @03:37AM (#4379282) Homepage Journal

The idea that fixed spending per capita versus a share from a bugdet shouldn't surprise anyone. Merely taking into account volume discounts of products brings the per machine cost down. But this does bring up a god point for execs to look at, in terms of security doesn't HAVE to cost a lot to be effective, if the spending is done wisely. Too many execs skimp on security due to fear of cost, and perceived low ROI, and underestimated exposure risk. It's the typical "It happens somewhere else, but never here" mentality that affects too many sections of society.
The problem from the clients I've interacted with over the years has rarely been that they spend too much due to wanted X dollars per machine, but in their failure to realize that they too may be vuilnerable to threats that they think can't happen. As in many cases in this industry, the bulk of the problem lies about 20 inches in front of the screen. I've often found that some money spent on education is what is needed the most.

Share
twitter facebook
Article summary here (Score:2, Insightful)

by plasticquart ( 75467 ) writes:

Press release with summary of the article can be found...
Here [trusecure.com]
screw it, here is the summary (Score:3, Informative)

by plasticquart ( 75467 ) writes: on Thursday October 03, 2002 @03:49AM (#4379307)
Herndon, VA - September 17, 2002 - A new survey released by Information Security magazine reveals that large organizations are at far greater risk to hacking and viruses than small companies due to organizational dynamics that hinder the implementation of effective security practices. According to the survey, the first of its kind to benchmark critical IT security trends and practices by organization size, small companies spend nearly 20 percent of their IT budgets on security, while large companies spend only 5 percent, and suffer five times as many security incidents.
Some of the major findings of the Information Security Magazine survey include:
- Malicious code, such as viruses, worms and Trojans, remains the number one most concern of most IT security professionals. Some 31 percent of survey respondents said it was their most important problem, followed by the security of authorized users (23 percent) and security vulnerabilities in IT and telecommunications equipment (15 percent).
- IT security remains a cottage industry when it comes to the establishment and implementation of formal policies and procedures. In multiple ways, IT security is still trying to gain a foothold in the day-to-day activities that govern an organization's operation and culture.
- As organizations get larger in size, their security departments are not keeping up with the demands of increasingly complex organizational infrastructures. Security spending per user and per machine declines exponentially as organizations grow, leaving most handcuffed when it comes to implementing effective security practices.
- Spending money on security does not reduce the number of incidents or the probability or extent of loss stemming from those incidents. But allocating more budget and resources to security does not increase an organization's ability to detect loss.
- Senior IT security professionals have little authority in driving the overall security mission in their organizations. Only 10 percent of chief information security officers (CISOs) report to the board of directors. And while 88 percent of CISOs prepare security budgets, only 37 percent of them approve budgets.
Share
twitter facebook
- Re:screw it, here is the summary (Score:4, Insightful)
  
  by t00tie ( 518552 ) writes: on Thursday October 03, 2002 @05:24AM (#4379430) Homepage
  "Malicious code, such as viruses, worms and Trojans, remains the number one most concern of most IT security professionals"
  I'm an IT security professional, and this really scares me. There are gaping holes in most organisations internal security that far outweigh the threats from external sources. Examples include
  
  Paranoid mobile-office/home access to the corporate network with virus scanners and what-have-you, while username/password for the mainframe travels in the clear on the corporate LAN.
  
  Application (especially web) security with more holes than swiss cheese.
  
  Internal users who have full access to everything, and not even decent routines for potentially devastating tasks. Last summer here in Norway most banks stood still because a techie formatted the wrong SAN box in a vital datacentre!
  
  We're very(?) good at protecting from untrusted users & systems, but not against trusted users & systems. Learning the difference between trusted and trustworthy is extremely educating ( ref [unito.it] )!
  Parent Share
  twitter facebook
  - Re:screw it, here is the summary (Score:1)
    
    by jmertic ( 544942 ) writes:
    
    * Paranoid mobile-office/home access to the corporate network with virus scanners and what-have-you, while username/password for the mainframe travels in the clear on the corporate LAN.
    
    Mod this guy up +1 Informative.
    
    The biggest problem that gets overlooked in Corporate IT isn't so much remote users but instead the internal users. The biggest threat to any companies IP is that disgruntled employee who downloads a master client list or yanks some code from the file server and takes it with them.
    
    The threat of a security breach has to considered BOTH internally and externally. The biggest danger isn't a script kiddie, it's that sales guy downstairs looking for an edge over the guy next to him so he can get more commission ( and believe me I've seen it happen ).
- Re:screw it, here is the summary (Score:2, Insightful)
  
  by yatest5 ( 455123 ) writes:
  
  Hmmm. Only 215 "qualified respondents" that provided "reliable information". Then they divide them into small, medium, large, and very large sites. Assuming small networks outnumber large ones by a long shot, just how many "very large" networks (10,000+ machines) could they be getting results from?
  
  Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.
  
  I have spoken.
- Re:screw it, here is the summary (Score:1)
  
  by aero6dof ( 415422 ) writes:
  
  Spending money on security does not reduce the number of incidents or the probability or extent of loss stemming from those incidents. But allocating more budget and resources to security does not increase an organization's ability to detect loss.
  
  I don't see how this is a useful conclusion unless you differentiate how the money is spent. It's like saying, "We keep buying our executives gold-plated wastebaskets, so why isn't our share price going up?"
Don't read too much into it (Score:5, Insightful)

by Clovert Agent ( 87154 ) writes: on Thursday October 03, 2002 @03:50AM (#4379311)

You can overanalyse data and get anything out of it. Stats are useful, but only in perspective. I wouldn't make any big decisions based on this survey.

For a start, 200+ does not an authoritative respondent base make. That's a relatively tiny survey, especially when you bear in mind that "2,196 practitioners completed some portion of the survey. The statistics in this report reflect responses from 215 qualified respondents"

So, 90% of respondents were invalidated. Why? Didn't fit the curve? Sure, you clean survey data, but when you're left with so few discrete results, any anomaly will look like a trend.

One other thought (or this'll turn into an essay): of _course_ security spending per user decreases with the size of the organisation. That's what "economy of scale" means!

The point that organisations tend to underspend IS true, but the predetermined conclusions of surveys like these aren't doing much to dispell FUD.

I'm not impressed. ISM should be doing a lot better than this. It's not all bad, but it's far from realistic.

Share
twitter facebook
- Re:Don't read too much into it (Score:3, Insightful)
  
  by Perdo ( 151843 ) writes:
  
  Exactly how many companies are there with over 10,000 computers? Getting 52 of them seems to represent a good percentage of them. Keep in mind that microsoft has about 35,000 machines, Google has 22,000 machines and Enron had much less than 10,000 (nice dovebid auctions btw).
  
  That seems like the best data that could be gotten given that most companies that large would not respond or would be evasive in their answers.
  - Re:Don't read too much into it (Score:1)
    
    by markt4 ( 84886 ) writes:
    
    Actually, Enron is still in business, despite being bankrupt, and still using quite a few of its computers, thank you very much. They weren't all auctioned at dovebid. In fact, Enron at its height had somewhere around 48,000 computers, despite the fact that it only had around 30,000 employees.
Commitment (Score:1)

by jukal ( 523582 ) writes:

effectiviness their investment tends to depend more on the share of the IT budget than the absolute amount
Without reading the article in detail (will do it after posting, how clever ;)) that conclusion seems utterly logic. Higher share probably reflects the fact that the company management has understood the importance of IT security. And this probably shows everywhere else in the organisation.
Blind faith in the firewall (Score:3, Informative)

by Anonymous Coward writes: on Thursday October 03, 2002 @04:04AM (#4379334)

All too often organizations will also trust the firewall to keep the company secure with WAY too little attention to keeping internal machines patched and up to date. Of course, this leads to a single point of failure, and if anyone makes it past the firewall it's a total free-for-all.

Share
twitter facebook
Lies, damn lies, and statistics (Score:4, Interesting)

by mmoncur ( 229199 ) writes: on Thursday October 03, 2002 @04:26AM (#4379357) Homepage

Hmmm. Only 215 "qualified respondents" that provided "reliable information". Then they divide them into small, medium, large, and very large sites. Assuming small networks outnumber large ones by a long shot, just how many "very large" networks (10,000+ machines) could they be getting results from?

Between the questionable statistics and the bizarre correlation between security and sex mentioned in the first paragraph, this article is nothing but a large serving of Buzzword Soup topped with noise and a sprinkling of anecdotal evidence, with yummy USA-Today-style pie charts for dessert.

Share
twitter facebook
- Re:Lies, damn lies, and statistics (Score:3, Funny)
  
  by doublem ( 118724 ) writes:
  
  this article is nothing but a large serving of Buzzword Soup
  
  Which mean my boss will be quoting it to me in the morning as a mantra, perfect and undeniable. It will take precedence over my decisions and all those who disagree with it will be fired, er, downsized.
Still can't defeat social engineering (Score:1)

by pjammer ( 90700 ) writes:

The biggest weakness of any security system is always the human part. Overreliance of 'security software' only amplifies the vulnerabilitiy of firms to a resourceful attacker.

On a semi-related tangent: Some of you might be interested in the account of how a UC San Diego student with a crummy GPA managed to fast-talked his way into a Silicon Valley investment-banking firm internship [livejournal.com].
Correlation != causality (Score:2)

by tve ( 95573 ) writes:

...the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount.

Perhaps businesses that spend a larger share of their IT budget on security give it a larger priority in general.
Google Hacked? (Score:2)

by Perdo ( 151843 ) writes:

I wonder if anyone has ever hacked into google? I'm not talking about creating false high listings but actually cracking google's database itself. Getting their full internal Zeitgeist would be a target I assume, based on how usefull the extremely limited version they post each month is.

They do have an incredible number of machines all connected directly to the internet.
- Re:Google Hacked? (Score:1)
  
  by GigsVT ( 208848 ) writes:
  
  Most of their zeitgeist was(is) pretty much online. With an old adwords account, the pay per impression kind, you could enter any set of keywords and it would tell you the number of searches per day/week/month. Assumedly you could run a bunch of fairly large lists through it and collect the data you needed that way.
  
  The new adwords doesn't give you absolute hits per day/week/month, but it does give you an indication of how popular keywords are, when it estimates your cost to run a keyword.
  
  The old adwords is being deactivated very soon (if not already).
Corporations should DEMAND secure software! (Score:1)

by dilute ( 74234 ) writes:

The number one concern cited in this article is viruses and malicious code, yet all the corporations want to run Windows, which seems vulnerable down to its root core.

Now, if my company went cold turkey on Windows and MS office it probably couldn't continue do business. That's right, our business would dry up, real fast. We could use Macs, of course (at huge transition expense, but doable), but we'd still need MS office. I'm an avid home user of OpenOffice (on Linux) - I love the program and have found it entirely serviceable as a general office tool, and it's a tool that could certainly be used by office workers. However, if a pool of secretaries and clerks had to deal with MS office attachments coming in all day, and had to convert all their outgoing work product to MS office-compatible files, that would be a real problem, operationally. For service companies and others doing a lot of business with the outside world (probably most of the corporate world), weaning off of MS office is not a real option at the present time.

So, MS has all these companies by the shorthairs. Microsoft doesn't really HAVE to give a damn, actually, about the security vulnerabilities, because they do not make IT vulnerable in any material sense. The customers have no real choice. Microsoft just has to make it easier to deploy their own products and incorporate more "features", and all the macro, scripting, component and plugin capability built into their products plays into that objective just fine.

Not that it's so terrible to be a MS customer. Their latest enterprise agreements were quite reasonable. You just have to keep paying, and most management accepts that. And you get pretty decent service from them, really. The customer takes all of this (security flaws included), with a big smile on its face! The result is a nice annuity from virtually every business organization in the world. Better than being a tax collector.

Security won't go anywhere, IMO, until either the government or the corporate users en masse get up and demand something better.

One thing I never understood is why Microsoft isn't vulnerable to class action lawsuits, like the pharmaceutical companies get hit with all the time. That would straighten them out real fast. The answer may be that the people who would do this suing would be corporate america, and it's against their ethic to bring these kinds of suits (they're stuck defending them most of the time).

Maybe if times get tougher, or business more competitive, companies will have to think about how much these problems are really costing them, and whether it makes economic sense to start doing something effective about it. I don't think we're there yet.
Last Post! (Score:1)

by alpg ( 613466 ) writes:

Software suppliers are trying to make their software packages more
"user-friendly". ... Their best approach, so far, has been to take all
the old brochures, and stamp the words, "user-friendly" on the cover.
-- Bill Gates, Microsoft, Inc.
[Pot. Kettle. Black.]

- this post brought to you by the Automated Last Post Generator...

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

The biggest difference between time and space is that you can't reuse time. -- Merrick Furst