Top Three Security Problems Remain Despite Increased Spending

[InfoSec News <isn () c4i org>]

http://www.esj.com/security/article.asp?EditorialsID=860

By Mathew Schwartz
2/18/2004

Expect security spending to get a boost at many companies, says The
Yankee Group after surveying surveyed 404 "decision makers" at
medium-to-large companies.

Half of respondents see security budgets increasing over the next
three years; only eight percent see it decreasing. Also, half of all
respondents share the same budgetary top-three: antivirus, intrusion
detection systems (IDS) and intrusion prevention systems (IPS), and
firewalls. In addition, 40 percent of the Fortune 500 plan to purchase
Web services security products.

Yankee also sees more companies opting for outsourcing, and predicts
managed security services alone will grow from $1.5 billion in 2002 to
$3.7 billion in 2008.

Yet for all the looking forward, the same old problems continue to
plague companies - especially vulnerabilities. "One of the most
surprising results of the survey is that the cost of patching desktops
is astronomical," says Yankee analyst Phebe Waterfield. The average
cost: $234 per desktop. For a company with 5,000 desktops, that means
over $1 million spent annually just for patching, and for the finance
industry in particular the cost is higher.

The survey produced other interesting results. For example,
unauthorized servers, intrusions and antivirus, unauthorized senders,
and denial of service attacks dominate respondents’ network security
concerns. "A big surprise for me was that peer-to-peer and instant
messaging rated so low. It turns out that IT managers and network
managers have much simpler problems that they need to deal with," says
Yankee analyst Eric Ogren.

Beyond vulnerabilities, viruses, and patching, respondents' other big
worries were regulatory compliance and wireless technologies.

Regulatory concerns certainly haven't hurt security budgets. With such
regulations as the Health Insurance Portability and Accountability Act
(HIPAA), the Gramm-Leach-Bliley Act, and Europe's Basel II, security
has become "a C-level and boardroom imperative," notes analyst Matthew
Kovar. While some regulations are industry specific, "the
Sarbanes-Oxley Act specifically requires rapid expenditures on
technology, processes, and documentation, to ensure clear separation
of operations from line-of-business activities," he says. As a result,
"to comply with these regulations, organizations are conducting
security audits of their internal- and external-facing systems,
including partner-network connections."

Ironically, regulations threaten to create a security arms race, since
the lack of established benchmarks means regulators are taking an
industry-wide sample, then judging good from bad. Of course, no
company wants to be the model for what not to do. In the short term,
says Kovar, this might work, but it can't last forever; companies
can't battle forever - they have to establish agreed-upon baselines
with regulators.

To better handle the vulnerabilities and viruses plaguing them, Kovar
recommends companies outsource anything—including security - that
isn't mission-critical, or at least a core competency, to focus on
securing their critical internal information. "It may be
counterintuitive to outsource perimeter security protection such as
firewalls, IDS, or content inspection; however, service providers can
do it cheaper through economies of scale, [and] managed security
service providers can keep up with the change in technology, freeing
you from that obligation."
 

Mathew Schwartz is a security and technology freelance writer and
long-time contributor to Enterprise Systems publications.You can
contact Mathew Schwartz about Top Three Security Problems Remain
Despite Increased Spending at Mat () PenandCamera com
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.