Late last year, security seemed to top many IT priority lists. That is not surprising given the events of last year, including multiple high-profile virus attacks and the terrorist attacks in the United States.
So, will concern for security translate into a lot more dollars spent for security? Will spending more increase security? Probably not, says Peter Lindstrom, director of security strategies at the Hurwitz Group.
Security may be a major concern for companies but this doesn't necessarily translate into more security spending, Lindstrom said. Moreover, even those spending more money aren't necessarily going to be more secure, he said.
So, who is making security buying decisions? "The easy answer is everyone and no one," Lindstrom said.
It's not clear who always makes the decisions, but most purchases I think are done by consensus," Lindstrom said. "Most financial services companies have chief security officers with significant budgets but everywhere else the decisions are usually made by a group with the budget coming from the platform owner that will host or directly benefit from the security solution. For example, if the spending is related to the network then the network people will be involved."
"There is no causal relationship between amount a company spends and how secure they are," Lindstrom said. Granted, having no money for things would hamper security efforts, but throwing money at the problem isn't necessarily the way to improve security."
"Companies often don't use existing security assets to the fullest, Lindstrom said. Some are "shelfware" or not installed. Some are installed but not used. "It really boils down to the effort that a company puts into security in terms of people and effort," he said.
"For example, some people buy intrusion detection systems without realizing they'll need staff to monitor them 24 hours a day to function," Lindstrom said. Much of security involves "people bandwidth" issues. Companies are usually more willing to throw money at problems than invest in staff.
But, throwing even more money and more focus on security doesn't necessarily make a company more secure. Measuring or assessing the security of a company isn't easy. The lack of incidents such as security breaches is probably the major way companies know they are secure. "Some companies keep their eyes closed so they never see any incidents," he said.
There are several ways, companies can test their security. One is following best practices, but they tend to be hard to reach and not practical at times. Another way is resting on regulations, but such usually set minimums, which can be vague. "They are starting points, but won't help with day-to-day operations," he said.
There are also vulnerability assessment tools that feature a point system for problems but there no standard scoring system for such products, Lindstrom said.Best Web Links about security management Best Web Links about security budgeting