Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Businesses Spend 20% of IT Budgets on Security

samzenpus posted more than 6 years ago | from the protect-ya-neck dept.

Security 141

Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

SLASHDOT SUX0RZ (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20934987)

_0_
\''\
'=o='
.|!|
.| |
click this link, you know you want to [goatse.ch]

Re:SLASHDOT SUX0RZ (CLICK THE LINK!!!!) (-1)

Anonymous Coward | more than 6 years ago | (#20935135)

I don't want to click that link. Why would you think I would want to click that link?

OMG, you know what? I'm going to click that link. I feel compelled.

P.S. anyone who mods me down is a Poindexter and a square.

Re:SLASHDOT SUX0RZ (CLICK THE LINK!!!!) (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20935391)

I won't mod you down, CockSukKkio, I won't mod you down(!!!!1111)

Re:SLASHDOT SUX0RZ (CLICK THE LINK!!!!) (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20935501)

I double-dog dare anyone to mod me down.

Anyone that doesn't mod me down is my bitch.

Re:SLASHDOT SUX0RZ (CLICK THE LINK!!!!) (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20936287)

MOD ME DOWN! =3

NIGGERS SUX0RZ (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#20935899)

Niggers sux.

that's how we roll around here (5, Funny)

User 956 (568564) | more than 6 years ago | (#20934997)

Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday ... That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004.

That makes sense. I mean, nerf weapons count as a security expense, right?

Re:that's how we roll around here (4, Funny)

Architect_sasyr (938685) | more than 6 years ago | (#20935161)

Definitely do. It's the only way I can keep the damn bean counters from getting into mission control!

Re:that's how we roll around here (1)

damonlab (931917) | more than 6 years ago | (#20936199)

I just pictured myself writing 'USB security device' on a purchase order.

Re:that's how we roll around here (1)

sg_oneill (159032) | more than 6 years ago | (#20937093)

You could probably do more damage with firewire.

(Ok, terrible joke. I know)

1 layer of the onion (1)

mackermacker (250587) | more than 6 years ago | (#20936399)

nerf weapons huh... I guess if your a security auditor like me, you should consider switching firms. Our motto over here is 'defense in depth'....

In terms the Nubian can understand, that means we also have the matching shields and hats.

Re:that's how we roll around here (1)

dintech (998802) | more than 6 years ago | (#20937511)

What about stairs? She's going to need some nerf stairs too.

To bad most of it is Stupid Security. (3, Insightful)

jellomizer (103300) | more than 6 years ago | (#20935003)

I have waisted more time making workarounds these "security fixes" then ever just because they
want to think they are safe but they never really consider the underlining problems with security.
90% of the Market is using the SAME FREAKING OS! So they work on blocking legit Web Mail so
Windows Viruses cant get in. Scanning all attachments to make sure there is no VBScript in Office
For Windows Documents. Trying to block sites that could possible be considered to have Windows Spyware.

Stop using freaking Windows all the time. Linux/Mac Workstations with VMWare to load Windows for those
Windows only apps, Stop wasting time with making Windows Console application and focus on Web Based Apps
Even if it is with .NET on a Windows Server, which you can run the Apps on any other browser, and OS.

Of course gust going to a different OS isn't the only solution you need good firewalls and such. But...
The core of the problem is Windows. Get Rid of Windows or reduce it to more bit parts then your companies
security is so much better.

Yes PHB MBA wont get it, they are afraid of doing anything differently then the rest. IT people will resist
too because they don't know Linux or Macs as well as windows and are not willing to learn. But if you need
to focus on security you need be different then the rest.

You need to be flexible so If Macs or Linux becomes insecure (One to many features can cause that problem) then
your custom apps need to be multi-platform or at least cross compilable to move from one system to an other.
That is the correct direction for security. Not this Block you from getting you work done stuff.

Re:To bad most of it is Stupid Security. (4, Insightful)

CaptainPatent (1087643) | more than 6 years ago | (#20935113)

Actually, a linux box in the hands of a clueless user can be just as dangerous [slashdot.org] if not more so than a windows box in the same hands.

The real threat is ignorance here. That includes buying unnecessary security equipment, operating and running the system itself, and improperly using software firewall and routing.

Re:To bad most of it is Stupid Security. (1)

UncleTogie (1004853) | more than 6 years ago | (#20935217)

Actually, a linux box in the hands of a clueless user can be just as dangerous if not more so than a windows box in the same hands.

Depends on the distro...I've seen some live CDs that could cause trouble in the hands of a padawan...

The real threat is ignorance here.

I'm not so sure. I'm more likely likely to attribute illegal intrusions/Tphtphtph-ware to the weenies engaged in it. I'm not saying it's impossible to accidentally write fast-spreading worms, [wikipedia.org] but I believe it's a wee bit rarer than the intentional sort.

Re:To bad most of it is Stupid Security. (1)

Techman83 (949264) | more than 6 years ago | (#20935915)

A clueless Admin hosting something maybe. But by default install of Desktop Linux those services that can be cracked if not correctly setup are not running. A defualt install of Desktop Linux is far more secure and safe then the default install of Windows.

Lets compare apples to apples peoples!

Depends on your view of "security" (3, Informative)

pedestrian crossing (802349) | more than 6 years ago | (#20937179)

A clueless Admin hosting something maybe. But by default install of Desktop Linux those services that can be cracked if not correctly setup are not running.

You are taking a very shallow view of security here. Sure, controlling what services are listening is a good first step. But your biggest threat isn't the outside hacker. It's the inside guy. It's being able to -prove- who did what, when.

A defualt install of Desktop Linux is far more secure and safe then the default install of Windows.

But once you move beyond that default install, and beyond shutting down unnecessary services, Linux isn't necessarily that "secure". The default install of Linux still has many problems that have to be addressed in order to have a secure system. Of course, so does Windows, but my point is that you cannot just load Linux, turn off services, and think you have anything like a secure system. In fact there are some advisable security requirements that are harder to implement on Linux than on Windows.

I have secured both to NSA recommended standards, and yes, in general I prefer Linux, but don't fool yourself that any like a default Linux install is inherently secure, especially when it comes to auditing and attribution.

Re:To bad most of it is Stupid Security. (1)

marcosdumay (620877) | more than 6 years ago | (#20938275)

"The real threat is ignorance here."

When you are talking about Linux, BSD, Solaris, etc, yes, it is.

When talking about Windows, you have to clear all the way from browsers that execute arbitrary code from the web; files that execute automaticaly and the interface won't let you know beforehand; media that execute automaticaly, virus that spread trough text files, spreadsheets, images, video, etc; dialogs appearing all the time, trainning the user to agree to every one of them; And the list goes on...

Re:To bad most of it is Stupid Security. (0)

Anonymous Coward | more than 6 years ago | (#20936029)

I have waisted more time making workarounds these "security fixes"
I'm trying to parse this and just can't quite manage. Do you mean the security fixes are something around your belt, they're making you too fat, what? Did you mean "wasted"?

- A very confused grammar nazi

In Short... (2, Insightful)

Hooya (518216) | more than 6 years ago | (#20936439)

... Business spend 20% of their IT budgets - but only after spending 80% of the budget on MS software.

I can't believe business (we currently do) have "hiring/bonus/travel" freeze but don't think twice about spending money on MS Software specifically. I guess better to pay MS employees than your own.

Re:To bad most of it is Stupid Security. (4, Insightful)

Lobster Quadrille (965591) | more than 6 years ago | (#20936501)

As the head of my company's security department, the problem does not lie with Windows.

I am no fan of Microsoft- after much fighting with my boss over it, I'm the only person in a mid-sized web design company running Linux on his desktop, but the core problem has nothing to do with Windows- at least not solely.

The problem comes down to several things:

Incompetence of users: This is the only place the the end OS really makes a difference, but all in all, I'd rather see the morons using Windows than Linux, just because they are already familiar with it. It's pretty tough to convince the uppers to retrain an entire company. That time and effort could in fact be better spent working on virus protection, network monitoring, etc., which any responsible security team still needs to do.

Pre-existing infrastructure: Companies start small, usually with the IT department consisting of a guy who sort of knows how to build computers. As the company grows, the infrastructure is forced to expand with it. Generally, this invlolves hacks and patching things together until it reaches a breaking point and a real network engineer is brought in. The problem there is that he still needs to keep everything up and running. You can't exactly take down a network, lead/customer management database, external web applications, etc, rebuild them all from scratch, then move everybody over. If the company can't maintain a baseline of functionality, than a security/network overhaul won't do anybody any good.

Cluelessness of management: Spending money on security rarely affect's the company's bottom end directly. The only way to get them to take security seriously is to show them what it will cost them to not do so. This isn't as hard as it sounds though- if you can convince upper management to participate in creating company security policy, you can start to show them that A) security involves not just confidentiality, but also availability and integrity of assets- two aspects that are far more critical, particularly in upper management's eyes. B) Protection of those assets is the responsibility of management. Hiring a security guy will do no good unless he has support from the top. When something goes wrong, they may have a patsy, but they suddenly won't have that database of customer information.

It's nice to hear that companies are spending 20% of IT budgets on security, though I don't believe it. Regardless, there is definitely a positive trend. The companies are starting to realize that security isn't something you can pick up for the price of a firewall and a pentest- it's a cyclical process involving constant auditing, defining and refining processes in all aspects of the company (which is why management support is so critical), and most importantly, fixing problems WITHOUT interrupting the normal flow of business.

Re:To bad most of it is Stupid Security. (1)

liquidpele (663430) | more than 6 years ago | (#20938119)

Don't forget that the 20% includes contracts to get updates to all their security products. Most of them don't do much good unless you can get frequent updates (with the exception of a firewall I suppose). Because it's a yearly expense, I'm sure it eats up a good chunk of the 20%. My question would be, how many companies actually do audits of their security? My guess is not many. Most probably just throw stuff on the network/laptops to be in compliance with some rule.

Re:To bad most of it is Stupid Security. (1)

ancalikorn_pk073892 (1164765) | more than 6 years ago | (#20938487)

Compare to other Operating System,Windows mostly use email filtering, antivirus and firewalls. Then the user have the personal costs of running, maintaining and administering these products (such as updating antivirus). We have very little in the way of wireless networks, but if we did, they would be another cost (more administration then anything). So, it probably isn't 20% of the total expenses, but it would have to be close.

Re:To bad most of it is Stupid Security. (1)

MindPhlux (304416) | more than 6 years ago | (#20936543)

cross platform web based apps as a bottleneck for security I had never thought of. I am defenitely keeping it in mind for my next development project though!

Blue Ribbon (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20935005)

1st Place Posting for Security!

I call bull (2, Funny)

flyingfsck (986395) | more than 6 years ago | (#20935007)

Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up that much of the budget, except maybe if the surveyed all use Windoze...

Re:I call bull (5, Informative)

teh moges (875080) | more than 6 years ago | (#20935087)

I'm not sure about you, but we (Windows mostly) use email filtering, web content filtering, anti virus and firewalls. Then you have the personal costs of running, maintaining and administering these products (such as releasing false positive emails, updating anti virus). Then I suppose you can count the fact we have a server for WSUS as an ongoing cost. We have very little in the way of wireless networks, but if we did, they would be another cost (more administration then anything).

When I think about it, it probably isn't 20% of the total expenses, but it would have to be close.

Re:I call bull (1)

SailorSpork (1080153) | more than 6 years ago | (#20936179)

It could seem a lot closer to 20% if you take into account having to manually roll out Windows Updates network-wide after testing each update to make sure it doesn't do anything funky to your critical systems. Of course, the article mentions the top 3 as "Anti-virus, firewalls, and proxy servers," which seem relatively OS-neutral... not counting the fact that >95% of viruses are written for Windows.

Re:I call bull (1, Informative)

guruevi (827432) | more than 6 years ago | (#20936357)

You must be having an IT person for every 20-50 users or so to support all that crap.

E-mail filtering: Just some spamfiltering and clamav so we don't propagate virusses in case somebody decides to forward it
Web content filtering: A big loss in $$$ since every single one of your employees WILL find a way around it which reduces security to even less since they'll be using less controllable techniques while having to look for it on Warez sites (which do have a lot of issues with random virusses etc.)
Anti-virus: Sits in my e-mail, otherwise not necessary. Just in case I DO need it, I have ClamAV on stand-by to scan all user directories on my XRAID
Firewalls: A single firewall cluster in front of my boxes (which all have a PUBLIC IP) will do, thank you, if you decide to have it on each box, see my comment on Web content filtering since they can't run any ol' program (even if it's just a game)
Administering the products: Send false positives through with a TAG or even MIME-attached, strip the attachment if it contains a virus, SpamAssassin, ClamAV, Amavisd and Postfix CORRECTLY set up will do that for you. So far no false positives though.

Server for WSUS costs you that much money? Distributing packages doesn't cost me anything and I think an update service like that should come for free as courtesy for buying so much client licenses. I have Mac OS X Software Update (free with Server) and a local repository of relevant Fedora Core and Debian updates on the same server which I also use for developing and other stuff, it also does my tape library and backups at night. Ok, the hardware and license had to be bought and if you have a really large organization (+10,000) you might need a separate server to do that but I see many running really large (100's of GB) public repositories (look at all the Univ entries for any distro) and they run on one or two servers for constant >100MBit loads.

Wireless networking? Why worry. Rather worry about ANY laptop whether wireless or wired. Make sure the wireless clients don't get on your local network, use WPA with RADIUS (did I mention that's usually free and supported on every cheap or expensive wlan router) and treat them like you would any other VPN connection. What, you don't trust the computers on the VPN either do you? Why would you? Just because they're your laptops doesn't mean the employee's kids don't play with it once he gets home!

Re:I call bull (0)

Anonymous Coward | more than 6 years ago | (#20938591)

Server for WSUS costs you that much money?

It costs more than it should. You need a windows server edition ($800). The preferred method of install also involves SQL server - I think that's like another $800. You can use the free desktop engine as well though.

Re:I call bull (0)

Anonymous Coward | more than 6 years ago | (#20937173)

When I think about it, it probably isn't 20% of the total expenses, but it would have to be close.
Let's not forget the cost of rebuilding compromised desktop machines and servers. I know that shouldn't happen if you keep your fortifications up-to-date but with vulnerabilities being available to malware makers before they are even reported to OS and Software manufacturers some of your machines will get compromised. Rebuilding servers in particular is a major pain.

Re:I call bull (1)

Stormwatch (703920) | more than 6 years ago | (#20935117)

except maybe if the surveyed all use Windoze...
Sadly, that's usually the case.

Re:I call bull (1)

damn_registrars (1103043) | more than 6 years ago | (#20935129)

Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up that much of the budget, except maybe if the surveyed all use Windoze...


And why would that surprise you? Like it or not (I certainly don't), windoze is the most common OS in the world - be it desktops, workstations, laptops, file / app / print / web servers ... Which of course leads to it having the largest number of security faults per cost.

Re:I call bull (2, Funny)

spykemail (983593) | more than 6 years ago | (#20935209)

When did IIS become #1? And where is the nearest suicide booth?

Re:I call bull (0)

Anonymous Coward | more than 6 years ago | (#20936529)

Who said IIS was #1?

Re:I call bull (1)

spykemail (983593) | more than 6 years ago | (#20937675)

Look at the parent's list.

Re:I call bull (1)

Anonymous Coward | more than 6 years ago | (#20935167)

Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up that much of the budget, except maybe if the surveyed all use Windoze...

I've worked in management for several Fortune 500 companies and you would have to include all SOX activities and all your redundancy (including hardware, datacenters and staff) in the "security" to even come close to these numbers.

A very rough ballpark is that 1/3 is people, 1/3 is depreciation and 1/3 is hardware/software.
Or sliced differently: 1/3 is ERP, 1/3 is stuff the business is using to do business and 1/3 is infrastructure.

Re:I call bull (0)

Anonymous Coward | more than 6 years ago | (#20935195)

Some are just throwing their money into a hole in the ground. [slashdot.org] After articles like that, one could believe that many would think 20% sounded cheap.

Remember the old joke about putting cement into the server and dropping it in the Marianas Trench? Don't be suprised if someone tries to build a server farm there. Sure would hate to get that bill.

Re:I call bull (3, Informative)

jonadab (583620) | more than 6 years ago | (#20935307)

> Unless they count a UPS, RAID and tape drives as security, there is no way that security can eat up
> that much of the budget, except maybe if the surveyed all use Windoze...

I'm sure a significant percentage of them use Windows, but what you're probably missing is that a lot of the security stuff that's typically sold to corporations (including, even, firewall solutions) is sold on a subscription basis, so that you have to pay every n (typically, twelve) months just to keep the same level of protection that you already had.

Most other computer stuff is licensed for an indefinite period of time, so if a given system has a lifespan of five years, you only pay for the hardware, OS, office suite, and so forth every five years, but you pay for the security stuff five times as often. So it could cost 1/20th as much as the rest and still take up 1/5th of the budget.

For instance, you might buy a workstation for $500, which comes with Windows XP included and a keyboard and mouse. To go along with that you might also buy a $250 LCD and a $650 license for MS Office, and you might use the thing for five years. During that time you might pay for Norton Internet Security every year, at about $70 a pop. Those aren't atypical figures these days, but if you multiply it out, security is one-fifth of the total budget for that workstation over five years.

It does get a little weirder when line-of-business software is included (you know, stuff in the "let us know you're interested and we'll assign a sales team" price range), because that stuff usually has annually-renewed maintenance contracts on everything, including the hardware. OTOH, security solutions at that kind of level tend to be more expensive as well, e.g., the vendor might roll one of Symantec's enterprise-level security products right into your plan and consider it a required part of the solution.

Re:I call bull (0)

Anonymous Coward | more than 6 years ago | (#20935421)

Most RSA products (SecurId, ClearTrust, Keon, Key Manager...) have annual licence fees that start in the six figure range and easily get into seven digits for Fortune 500 installs on a per user basis. And most Fortune 500 companies have at least one of those products, and it's nearly the last in their portfolio of software and hardware that's budgetted for security.

Re:I call bull (0)

Anonymous Coward | more than 6 years ago | (#20935623)

large portion comes with outside security consultants who pitch massive sec pol changes in an audit. Usually involves buying proprietory hardware/software solutions along with expensive support contracts in order to maintain the systems without keeping said consultant on.

Translation:

The inhouse IT dept sucks, but has built an infrastructure in which it is difficult to rebuild things without making up some crud about needing to perform a security audit. Then they $$$ pay for magical products in the hopes that their problems will go away.

Those things certainly are part of I.S. security.. (1)

Nick Driver (238034) | more than 6 years ago | (#20935685)

Unless they count a UPS, RAID and tape drives as security
 
...they definitely fit into the FIPS 199 concept of the CIA triad [wikipedia.org] , which stands for:
Confidentiality
Integrity
Availability

UPS and RAID are part of Availability and tape backups (disaster recovery) are considered under both Availability and Integrity.

Re:I call bull (2, Informative)

arivanov (12034) | more than 6 years ago | (#20936755)

It can.

AV , Client firewall, Integrity checkers and patch deployment, VPN, Firewall, Compliance, etc in a Windows shop ramp up to somewhere around there. Actually, quite often they are even more.

pebkac security patch (2, Insightful)

wizardforce (1005805) | more than 6 years ago | (#20935047)

I wonder how much of that spending went to training their employees that "password", "letmein" and lastly "123" are *NOT* the best passwords.

Re:pebkac security patch (1)

damn_registrars (1103043) | more than 6 years ago | (#20935093)

Some people, honestly, seem to be untrain-able in that regard. I once had a coworker who not only used 'manager' as his password, but told damn near everyone in the company that was his password.

You guessed it, even the people he managed new it...

Re:pebkac security patch (5, Funny)

UncleTogie (1004853) | more than 6 years ago | (#20935329)

I wonder how much of that spending went to training their employees that "password", "letmein" and lastly "123" are *NOT* the best passwords.

Just happened today: The uber-friendly shopkeeper next door asked me to help him void a transaction. When the password prompt came up, he looked at me and simply said, "1-2-3-4-5."

I couldn't resist. I looked back at him and said, "That's funny. I've got the same combination on my luggage..." [wikiquote.org]

Re:pebkac security patch (1, Interesting)

Anonymous Coward | more than 6 years ago | (#20936573)

I couldn't resist. I looked back at him and said, "That's funny. I've got the same combination on my luggage..."
It's not so funny when you use the same quote at LEAST twice a day, in regards to customer and employee-chosen passwords. During a recent audit, I checked a database of hashes against my rainbow tables, and I shit you not, one in 5 passwords was either 12345 or password.

Re:pebkac security patch (1)

UncleTogie (1004853) | more than 6 years ago | (#20936685)

It's not so funny when you use the same quote at LEAST twice a day...

Oh, believe me, I know. I wasn't using the "amusing" connotation of the word "funny". What tore me up was he blurted out his password QUITE loudly... in front of customers. Thank God I trained myself to keep a straight face when I was younger...

Re:pebkac security patch (3, Insightful)

jonadab (583620) | more than 6 years ago | (#20935361)

> I wonder how much of that spending went to training their employees

On average, not nearly enough. Employee training practically always gets shortchanged, and I'm not just talking about computer security, or even just about computer technology generally. It's true across the board in most industries.

Worse, in a lot of industries, the money that _is_ budgetted for employee training gets mostly wasted on worthless nonsense, not spent on the training the employees could actually *use*.

And then what part goes to anti-spam? (3, Interesting)

damn_registrars (1103043) | more than 6 years ago | (#20935053)

Since we now have a way to track security expenditures, we should have some way to track money spent on anti-spam measures. Considering how well the anti-spam hardware and software sells, I'll venture its a nontrivial expense, as well.

Even if you're just running some spiffy implementation of spam assasin, it still gets your time at some frequency to update the rules, amongst other things.

Re:And then what part goes to anti-spam? (1)

Lobster Quadrille (965591) | more than 6 years ago | (#20936681)

FTA:

"The survey results also revealed that for each dollar spent on security, about 42 cents goes toward technology product purchases. In general, 17 cents goes toward security-related processes; 15 cents covers training; 12 cents for assessments; and 9 cents pays for certification. The balance goes to other items."

"Security" analysts (4, Insightful)

Da_Biz (267075) | more than 6 years ago | (#20935085)

At some of my consulting client sites, I've been underwhelmed by the quality of their "security analyst" staff. I've found that staff seemed to be more interested in putting their name on boilerplate "best practices" to pass off to others, rather than taking a hands-on, collaborative approach in working with sysadmins to really verify that their systems are secure.

Don't even get me started on social engineering and how circumventable many secured entry systems are. It's a sad thought that someone posing as a lowly janitor could have free rein in most data centers.

P.S. Security policy writers: why not start by giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone (including some sort of challenge/response question for them to answer)? Simple, inexpensive and effective compared to a lost or stolen keycard falling into the wrong hands.

Re:"Security" analysts (2, Interesting)

MichaelSmith (789609) | more than 6 years ago | (#20935547)

giving your employees with access to high-security areas a way to disable their keycards 24 hours a day by phone

At my workplace the security people combined the ID card with the RFID access card so now if you lose the RFID card the person who finds it can go directly to our site and walk in.

Re:"Security" analysts (1)

ForestGrump (644805) | more than 6 years ago | (#20936043)

That's why I ran my RFID card through a paper shredder and just call someone to open the door for me whenever I need to get in. If nobody is in the lab, I get security to let me in then. So much more secure!

PHYSICAL security is necessary. (-1)

Anonymous Coward | more than 6 years ago | (#20935119)

To protect against violent, thieving niggers.

It is the future daniel-san (1)

deftones_325 (1159693) | more than 6 years ago | (#20935131)

Get with it. Security is the way of the future. Lan-Administration is on its way down. Security is on its way up. If I had a dollar for every time a rouge wi-fi access point is set up that compromizes the whole network... and people using default passwords... anyway.. its no wonder companies need to hire 2 security guys to go around to tell everyone not to make thier password thier kids/pets name/birthday..

sex with a Goat (-1)

Anonymous Coward | more than 6 years ago | (#20935139)

or a 4ubl1c club,

lol (4, Funny)

spykemail (983593) | more than 6 years ago | (#20935185)

It's the same thing people always do when they screw something up and don't know how to fix it - throw money at it. I love it when IT companies get paid to implement "security" features (speed bumps) then "service" (disable) them. It would be like funding an invasion of a country then paying for the reconstruction of all the shit you just blew up~

Re:lol (1)

ScrewMaster (602015) | more than 6 years ago | (#20935435)

It would be like funding an invasion of a country then paying for the reconstruction of all the shit you just blew up~

You forgot the "oh wait ..."

necessary precautions though? (1)

evann (667628) | more than 6 years ago | (#20935243)

Do these firms spend these security dollars properly or do they just do as recommended by whichever software/analyst group wants to sell them more software/and or information on holes? How much of the $$$ designated forward security is worth it? Anyone have insight into that aspect?

Pfft! (1)

NotQuiteReal (608241) | more than 6 years ago | (#20935273)

How much of any amount that anyone spends on anything is "worth it"?

Re:necessary precautions though? (2, Insightful)

pedestrian crossing (802349) | more than 6 years ago | (#20937235)

Do these firms spend these security dollars properly or do they just do as recommended by whichever software/analyst group wants to sell them more software/and or information on holes? How much of the $$$ designated forward security is worth it?

Insightful question.

Managers and the clueless (obviously not mutually exclusive sets!) are always looking for a "security product", the silver bullet.

The reality is that security is a process, not a product. You have to incorporate it into your policies, plans and products from the ground up.

Security "products" (firewalls, IDS, NMS, etc.) are the icing on the cake, but are pretty much meaningless on their own. This is clearly not what most managers want to hear, they want to spend some money and be done. That's why there is so much money to be made in security snake oil, because the reality of information security is that it is expensive, not in terms of buying stuff, but in terms of an ongoing commitment to incorporating the principles into everything you do.

Many times this translates into the fact that the easiest path to getting something done is not the best path. That is a difficult reality for management to relate to.

20%, sure ... (1)

ScrewMaster (602015) | more than 6 years ago | (#20935265)

and how much of that goes to the likes of Symantec?

Thanks, Bill! (0, Insightful)

Anonymous Coward | more than 6 years ago | (#20935271)

Thanks, Microsoft, for innovating the virus industry into existence.

Re:Thanks, Bill! (1)

spykemail (983593) | more than 6 years ago | (#20935319)

Keeping your faulty code as far from the eyes of competent software engineers as possible only leaves black hats to play with it? Who knew!

Re:Thanks, Bill! (1)

Torvaun (1040898) | more than 6 years ago | (#20935427)

Yes, because no [wikipedia.org] malware [wikipedia.org] exists [wikipedia.org] on [wikipedia.org] any [wikipedia.org] other [wikipedia.org] systems [wikipedia.org]

Re:Thanks, Bill! (1)

dbIII (701233) | more than 6 years ago | (#20935919)

Obviously it does but it's pretty rare. The current danger is bored script kiddies and spammers that want to own as many boxes as possible in a short time. MS Windows is the soft target for these people, paticularly the hobby version and not the server version. While dictionary attacks work on other systems if the box has unfirewalled ssh with bad choices of usernames and passwords (and passwords instead of keys) it is slow even then and hopefully boring. Even when they get in they still need to ecscalate priveleges to root before they can even use it as a portscanner let alone anything else. In the time they take to get a poorly secured *nix box they could have taken over dozens of badly set up MS Windows boxes.

Re:Thanks, Bill! (1)

SL Baur (19540) | more than 6 years ago | (#20936169)

MS Windows is the soft target for these people, paticularly the hobby version and not the server version.
This storm virus thingie deliberately avoids infecting MS Windows server edition. I don't think that counts. *Anything* Microsoft is a soft target, as is any networked computer with a clueless admin.

Re:Thanks, Bill! (1)

drsmithy (35869) | more than 6 years ago | (#20937133)

In the time they take to get a poorly secured *nix box they could have taken over dozens of badly set up MS Windows boxes.

That's to be expected. Given the market share disparity, even if every other factor was equivalent [0], you would still expect to see at least ca. 40:1 "pwnership ratio".

[0] And they're not. Without even bringing technical aspects into the discussion, Windows is already at a serious disadvantage to Linux in terms of "security" because if its user demographic.

Re:Thanks, Bill! (1)

dbIII (701233) | more than 6 years ago | (#20937985)

That's to be expected. Given the market share disparity

A common misconception but easily corrected by paying attention. The Apache vs Microsoft ISS example where market share is skewed in the opposite direction shows the market share thing is either a feeble excuse or complete and utter marketing bullshit. Furthurmore you HAVE to bring technical aspects into the discussion for it to be anything other than worthless fortunetelling.

Re:Thanks, Bill! (2, Insightful)

drsmithy (35869) | more than 6 years ago | (#20939029)

A common misconception but easily corrected by paying attention.

Anyone who doesn't think market share is a significant contributor to a product's "security record", is a fool blinded by zealotry. There are so many critical aspects of "security" that are related to market share, it's simply an inescapable factor.

The Apache vs Microsoft ISS example where market share is skewed in the opposite direction shows the market share thing is either a feeble excuse or complete and utter marketing bullshit.

Those "paying attention" will notice that a) IIS has had better "security" for some time now and b) IIS and Apache have similar levels of marketshare. Even before then, cherrypicking an atypical example from a tiny subset of the market, does not make for a compelling argument (neither for nor against) in the general case. The plural of anecdote is not data.

Furthurmore you HAVE to bring technical aspects into the discussion for it to be anything other than worthless fortunetelling.

From a technical perspective, all the major platforms have been basically equivalent for over half a decade now (and before that, Windows NT was - "technically speaking" - streets ahead of unix variants, ironically refuting the whole "bad design" argument in one fell swoop). Further, the single biggest influence on security - users - is "non-technical".

Finally, your "marketshare is irrelevant" argument completely misses the point I was making - that even if all else was equal (ie: in any given situation, a Linux machine and a Windows machine had exactly the same probability of being compromised) you still expect to have "dozens" more Windows machines compromised than Linux machines, because they outnumber them ca. 40 to 1. Here, I'll even make a car analogy to emphasise the point; There are 100 identical cars in a garage. Ninety of them are owned by Caucasians, six by Asians, three by Negros and one by an Indian. Which ethnicity do you expect have the largest number of cars stolen from them ? Do you believe this is due to racism or statistics ?

Or, to put it another way, if you believe Windows - today - should have anything close to as "good" a "security record" as Linux, you fail at basic logic, reasoning and maths.

Re:Thanks, Bill! (1)

pedestrian crossing (802349) | more than 6 years ago | (#20937261)

Script kiddies and spammers are easy to deal with, they are the least of your problems. Your biggest problems are the pros, the insiders, your users, God, and Murphy.

Re:Thanks, Bill! (0)

Anonymous Coward | more than 6 years ago | (#20937277)

Wow, two of those were in the past four years. One of those couldn't get beyond it's own subnet. The other didn't attack the operating system, but was phpBB, and even then there was a patch for the vulnerability a month before the virus.

Apart from the one from 2001, all your other examples are from the 1980s. Good to see you've given solid, unassailable examples.

(Captcha is 'outdated'. How apropos)

increase in security budgets (1)

TT076659 (1167037) | more than 6 years ago | (#20935379)

From my point of view, the increase in security budgets is due to the increase in number of ways a system can be attacked. There's no doubt that security is very important for businesses. It's better to spend more on security rather than being attacked and hacked or anything like that, which can lead to more losses.

Hahaha (2, Insightful)

foo fighter (151863) | more than 6 years ago | (#20935419)

hahahahahaha!

Twenty percent...

Oh, that's rich. Oh my. Oh. Hoo!

Flying Spaghetti Monster, I love surveys and statistics. I've worked in internal security for the past couple years at a big accounting firm and as a security consultant for many years before this.

Everyone knows they should be doing more to stay secure, but that fact is security doesn't do anything obviously positive for the bottom line. It's like flossing: most people floss when they have some chicken stuck between their molars but they don't do it every night. (Little tip for everyone trying to get money for security: give up on ROI; sell it like you're selling an insurance policy.)

When CIOs or CISOs get these surveys they fluff the numbers because they know they are supposed to be secure even if they have a hard time justifying security spending to the Board. "Oh yeah, we spent $X on Security. That's about 15-25% of our IT budget." What they don't say is that number includes the payroll (including salary, benefits, and payroll taxes) of all IT staff that have anything to do with security, audit, or regulatory compliance.

Contrast that with asking them what they spent on email they'd probably tell you about their Exchange license fees and maybe some server hardware. They'll leave out staffing costs, retention software and SAN, etc.

My guess is that the average IT budget is spending maybe -- MAYBE -- 10% on security, audit, and compliance related expenses.

I will admit here that I didn't RTFA. If the survey population was mostly US-based publicly traded companies that fall under SOX regulations the 20% number is a tiny bit more believable because CFOs and CEOs don't want to go to jail based on a fuckup by a minimum wage (in their frame of reference) IT staffer.

Re:Hahaha (2, Interesting)

ScrewMaster (602015) | more than 6 years ago | (#20935449)

Security is a subset of IT, and IT as a whole is not a profit-center ... it's an operating expense. Now, what is it that most execs try to do with operating expenses?

Re:Hahaha (-1, Flamebait)

foo fighter (151863) | more than 6 years ago | (#20935489)

Security is a subset of IT, and IT as a whole is not a profit-center ...

Wow. That is so incredibly absofuckinglutely wrong I almost didn't post a reply.

Welcome to Earth post digital computers. Where have you been for the past almost-a-century?

Information technology is a source of efficiency and innovation. Both of those drive profits. IT doesn't come without risks, however. Mitigating those risks is IT security.

IT security isn't really part of IT, even though it's usually placed in the same department of the org chart and in the same budget. It is a part of the insurance package every business owns.

Re:Hahaha (4, Insightful)

ScrewMaster (602015) | more than 6 years ago | (#20935635)

And you so absofuckinglutely missed the point it's almost hard to bother replying. You seem confused about the term "profit center" which has a very specific meaning in most businesses. I didn't say that advanced technology was useless or doesn't help industry: I've been an industrial software developer for damn near thirty of those years, so there's no reason to get testy. I suspect you're just being deliberately obtuse so's you can use the word "absofuckinglutely". Good for you. If you'd actually grasped what I was trying to say, you'd have understood that I was referring to the perspective of the suits running a company, not the utility of information technology in general.

Look, you run a company. How do you see the world? You see it in terms of money coming in ... and money going out. Those guys on the production floor making product? Money coming in. That programmer cranking out code for the latest release of the company's premier software product? Money coming in. That's what the corporate executive sees as a "profit making center", and that's how I defined it.

Now, let's take a look at some other internal functions in any company:

Sales & Marketing? Not a profit center, but without it there'll be no profits, plus which suits understand those departments. They generally haven't a clue how design and production work.

Accounting? Not a profit center ... but even a suit sees that as money well spent so he can see how much money he has accumulated. Besides, there are numerous laws which require compliance.

Customer support? Not a profit center. "Too bad our drain-bamaged customers can't handle all their own problems, we'd save a bundle. No, we're not going to upgrade the call center, matter of fact we're shipping it to India next month. Start training Habib here ... he's replacing you."

Internal IT department? Not a profit center. "Too bad all those stupid people that work for us can't handle their own problems. We'd save a bundle. Also, you gotta watch those IT guys, always wanting to spend our money on the latest fancy computer toys."

So far as external threats are concerned ... who cares? "What? You want me to authorize 250 grand for security upgrades to fend off potential threats? Forget it, I'd have to reduce our bonuses this year and that sure ain't gonna happen ... here's fifty K and you're lucky to get that. Besides, I don't understand all this "black hat" "white hat" shit. What's a firewall, anyway? I think my car has one. My dog had worms once."

That's what I'm talking about. I'm sorry if you're an IT guy and took offense, but the facts are clear: IT and its very important offshoot, network security are simply not in the average PHBs top ten list of important areas to spend money. There are some corporations that get it, and make themselves into hard targets, but not enough. Not nearly enough. Part of the problem is that good security is more a matter of good people that it is good equipment.

Re:Hahaha (2, Insightful)

SL Baur (19540) | more than 6 years ago | (#20936193)

Well put.

Part of the problem is that good security is more a matter of good people that it is good equipment.
And the other parts you laid out pretty nicely.

Security is tricky... (4, Insightful)

Dirtside (91468) | more than 6 years ago | (#20935551)

The trickiest thing about security is that there's no reliable way to tell for sure whether it's worked or not. Any security system can be defeated by a properly designed attack, although for a given system this may never happen if there's no one who has both the resources and desire to defeat it.

But the trick is, a sufficiently well-planned attack can defeat security without anyone knowing it happened. So you can't really rely on a count like the number of detected intrusions (whether they were thwarted or not). The result of this fact is that there's a huge amount of crosstalk about "best practices" and what's Good Security and what's not. You could have a system that tracks N intrusions per year, and thwarts them all, but if there were 2N intrusions that were not detected (let alone thwarted)... you go around claiming you've got great security, but do you really?

This doesn't mean we shouldn't try to have security, obviously, but it does mean that security is a giant, tricky grey area.

Re:Security is tricky... (1)

ealar dlanvuli (523604) | more than 6 years ago | (#20936541)

Uh security is easy. Don't run programs from writable media. If you do, restore the media once a day (and also keep up with patches / other best practices). Anything else is snake oil.

Always assume someone has a zero day rootkit for every server you run. You live in fantasy land if you think there aren't hackers that could pwn your system instantly in this world.

Done.

Sean

Re:Security is tricky... (1)

Lobster Quadrille (965591) | more than 6 years ago | (#20936609)

That solves the problem of people rooting your box. Now address these ones:

Stupid users
Information Disclosure
Fires, floods and nuclear apocalyps
keeping the source tree for your new video game from going public
That hard copy of the company directory that just got thrown in the dumpster out back
the list goes on and on...

There's a lot more to security than keeping the script kiddies off your web server.

Re:Security is tricky... (1)

haihainicknameused (1075085) | more than 6 years ago | (#20937507)

just ignore security. and ignore stupid users. :) make it all go away pretty please ? nah well there is no way to keep everything 100% up all the time and if you are at the five nines in uptime it should be fine. people tend to panic and go OMG THE INTERNET IS GONE FOR 5 MINUTES!!!.. cry more. if you have documents that are secret and aren't supposed to leak out, put it on a separate network. for other stuff there is backup, redundant servers. your system is hackable, it's a fact, will anyone do it ? that's the question and if they do. find out who/how report them, reload backup & fix security. the biggest reason hackers hack systems these days seems to be able to send out spam mail for xx minutes and then they leave.

Host vs. Network (1)

huckamania (533052) | more than 6 years ago | (#20937671)

Host based security is tricky because if the host is compromised, a good attacker will cover their tracks. It's harder, maybe even impossible, to cover your tracks when you are dealing with something transparent on the network, like a bump in the wire.

Detecting an attack is easier to do then thwarting an attack, and obviously so. What is sad is that many IT types would rather not even know about attacks because then they are liable. Ignorance, even in IT, is bliss.

I once tested a network monitor that I developed on a live accounting server. They were happy to let me test until I found 3 rogue connections that tracked to known attack vectors. The next day the IT manager disconnected the network monitor and replaced the accounting server with a new box. The old accounting server got formatted before we could see if the rogue connections were actual intrusions. If they weren't, they certainly were suspicious enough to pull the box and replace it.

20% !? (1)

Stormie (708) | more than 6 years ago | (#20935917)

I probably shouldn't admin this for fear of making my workplace look like an attractive target, but DAMN, there is no way that anything even remotely close to 20% of our IT budget is spent on security. I'd be surprised if it was 2%.

Re:20% !? (1)

hejog (816106) | more than 6 years ago | (#20937095)

same, probably less than 1%. I can't even think what SME businesses _could_ spend it on besides the obvious AV / Firewall stuff ...

SPAM, Antivirus, Firewalls, VPNs... (1)

WoTG (610710) | more than 6 years ago | (#20936095)

At first glance 20% sounds really high, but once you think about what could be mixed in with security, I'd believe 20%. No, it shouldn't be that high, but thanks to the great Internet thing, that's what we get.

Use OpenBSD... (1)

kcbanner (929309) | more than 6 years ago | (#20936111)

...and its secure from the start.

Linux Admin: "BSD? lolwut? thats like that OS from the fifties right?"
OpenBSD Admin: *sigh*

Yes, we need to protect... (0)

Anonymous Coward | more than 6 years ago | (#20936539)

...all our Windows systems.
Now I clearly see why nobody wants us to move away from the system that needs most protection.
...and why Symantec, McAfee and security experts tries to tell everyone that Linux and OS X are as much in danger as Windows...

Security!! Need painkiller (1)

rk075002 (1164403) | more than 6 years ago | (#20936773)

In my place, the security and the windows department always have misunderstanding.It is not that security department does not want to beef up the security, it is because other department that want special "request".

a nice way of saying... (1)

realkiwi (23584) | more than 6 years ago | (#20936817)

...plugging holes in Windows

Businesses Spend 20% of IT Budgets on Security (0)

Anonymous Coward | more than 6 years ago | (#20936839)

i think we should allocate some fund for the security because without any security we can't use the system safely and always need to be afraid of the hackers and viruses that going to attack our system at any time.

Evidently coffee must be = 21% of IT budgets (2, Insightful)

MadMidnightBomber (894759) | more than 6 years ago | (#20937049)

"If you spend more on coffee than on IT security, then you will be hacked," [Richard] Clarke said during his keynote address. "What's more, you deserve to be hacked."

So many people turn off default security features! (1)

Russell Coker (125579) | more than 6 years ago | (#20937587)

Fedora, Red Hat Enterprise Linux, and CentOS come with a reasonable Net Filter (iptables) configuration by default that allows the necessary operations. It can be easily configured to allow extra ports, trusted interfaces, etc. It often gets turned off because it's supposedly too hard.

Fedora, RHEL, and CentOS also come with SE Linux enabled by default, it gets turned off more often than Net Filter.

I find it difficult to believe that any significant portion of IT budget goes to security when I see so many people turning off things that are free and relatively easy to use.

Honesty? (3, Insightful)

Speed Pour (1051122) | more than 6 years ago | (#20937799)

Crazy question...since nobody else has bothered to ask it...is it possible that the average company feels they will appear more "privacy responsible" by claiming to spend a huge portion on security?

Somehow I'm picturing companies answering surveys with 20%, stock investors are probably hearing 2%-5%, and the people who actually make decisions are really putting in about 7%-12%.

Y2K Redux (2, Insightful)

bstarrfield (761726) | more than 6 years ago | (#20938265)

Seems to me that we're seeing another Y2k scenario - there is a real issue, and let's all overreact. Y2K was a profitable business for many consulting firms, contractors, and software vendors. The Y2K situation was something that needed to be addressed but by scaring C-level executives there's great profit to be made!

Read one of the security journals, look at the marketing hype coming out of Symantec, McAfee, and any number of security consulting firms - the primary message is fear. Fear of some unquantifiable buggiman come to get your precious data. Precious little data on how many monsters are out to get your data, but you best be afraid. And I agree - there is reason to be concerned, but no reason to be hysterical and dedicate one fifth of your IT budget to the nebulous Security functions.

How many of these security consultants are brand new? How many are receiving certifications from the very same groups that are attempting to promote the opinion that there's a security crisis? Can you fix security problems yourself, within your own firm? Damn likely. Many IT groups underestimate their abilities (or their senior managers do), and outsource a job that could, perhaps, be done better in house.

I realize that we can't ignore the security issue, just as we couldn't ignore Y2K. But hysterically throwing money onto the problem won't solve the problem either. Don't waste your money if you can avoid it. Don't just fall for the drama of the moment if at all possible

Security is expensive (1)

ancalikorn_pk073892 (1164765) | more than 6 years ago | (#20938281)

There is not impossible if the budget will increase year by year as we know that security is very important in IT nowadays. A lot of testing has to perform to produce the secure system.All of these testing required a huge amount of budget.

hmmm (1)

PK075010 (1166269) | more than 6 years ago | (#20938589)

it good thing, they use 1 over 5 in security budgect...security is most important part in today life...without it how can how can we protect our secretor information from others...include militarry...without it may be..cave man know how many tank we have and operate...it worth to pay for it... --- (=.=')0....got red for english

Cost-benefit analysis? (1)

Hugo Graffiti (95829) | more than 6 years ago | (#20938649)

Has anyone done a cost-benefit analysis for the amount of money spent on IT security? Seems like the only people qualified to estimate the probabilities - ie security consultants - have a vested interest in over-exaggerating security dangers.


I found this book review which seems to suggest that nobody knows:

The major flaw with MCR arrives in ch 4, on p 68: "The variables affecting potential cost savings include (1) the potential losses associated with information security breaches, (2) the probability that a particular breach will occur, and (3) the productivity associated with specific investments, which translates into a reduction in the probability of potential losses." This is true -- but this is the key problem: devising even rough estimates of 1, 2, and 3 is nearly impossible in practice. The authors' examples (see figure 4-2 for one) assume these factors can be determined (like $10 mil total potential loss without countermeasures, 75% probability of loss with no countermeasures / 50% with $650,000 of countermeasures, and so on). When I saw these contrived examples I wondered "what is the origin of these figures?" The fact of the matter is that they are all guesswork, which means the calculator can say anything the analyst wishes to produce.


In some sense we are back to square one, although much better educated in economics. (Note that Andy Jaquith's book Security Metrics also observes how calculating these figures is nearly impossible in real life.)

At current rate of increase, by my calculations... (1)

jackpot777 (1159971) | more than 6 years ago | (#20938689)

...security spending will take up 155% of IT's budget in the year 2015.

Either someone has to increase IT's budget before the 100% mark is reached in 2013, or the DBAs should be sent out to pillage from Accounts Receivable.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>