[ISN] Top Three Security Problems Remain Despite Increased Spending

From: InfoSec News (isn@private)
Date: Wed Feb 18 2004 - 01:57:17 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--Will Leaked Code Increase Security Risks?--February 18, 2004"

    http://www.esj.com/security/article.asp?EditorialsID=860
    
    By Mathew Schwartz
    2/18/2004
    
    Expect security spending to get a boost at many companies, says The
    Yankee Group after surveying surveyed 404 "decision makers" at
    medium-to-large companies.
    
    Half of respondents see security budgets increasing over the next
    three years; only eight percent see it decreasing. Also, half of all
    respondents share the same budgetary top-three: antivirus, intrusion
    detection systems (IDS) and intrusion prevention systems (IPS), and
    firewalls. In addition, 40 percent of the Fortune 500 plan to purchase
    Web services security products.
    
    Yankee also sees more companies opting for outsourcing, and predicts
    managed security services alone will grow from $1.5 billion in 2002 to
    $3.7 billion in 2008.
    
    Yet for all the looking forward, the same old problems continue to
    plague companies - especially vulnerabilities. "One of the most
    surprising results of the survey is that the cost of patching desktops
    is astronomical," says Yankee analyst Phebe Waterfield. The average
    cost: $234 per desktop. For a company with 5,000 desktops, that means
    over $1 million spent annually just for patching, and for the finance
    industry in particular the cost is higher.
    
    The survey produced other interesting results. For example,
    unauthorized servers, intrusions and antivirus, unauthorized senders,
    and denial of service attacks dominate respondents’ network security
    concerns. "A big surprise for me was that peer-to-peer and instant
    messaging rated so low. It turns out that IT managers and network
    managers have much simpler problems that they need to deal with," says
    Yankee analyst Eric Ogren.
    
    Beyond vulnerabilities, viruses, and patching, respondents' other big
    worries were regulatory compliance and wireless technologies.
    
    Regulatory concerns certainly haven't hurt security budgets. With such
    regulations as the Health Insurance Portability and Accountability Act
    (HIPAA), the Gramm-Leach-Bliley Act, and Europe's Basel II, security
    has become "a C-level and boardroom imperative," notes analyst Matthew
    Kovar. While some regulations are industry specific, "the
    Sarbanes-Oxley Act specifically requires rapid expenditures on
    technology, processes, and documentation, to ensure clear separation
    of operations from line-of-business activities," he says. As a result,
    "to comply with these regulations, organizations are conducting
    security audits of their internal- and external-facing systems,
    including partner-network connections."
    
    Ironically, regulations threaten to create a security arms race, since
    the lack of established benchmarks means regulators are taking an
    industry-wide sample, then judging good from bad. Of course, no
    company wants to be the model for what not to do. In the short term,
    says Kovar, this might work, but it can't last forever; companies
    can't battle forever - they have to establish agreed-upon baselines
    with regulators.
    
    To better handle the vulnerabilities and viruses plaguing them, Kovar
    recommends companies outsource anything—including security - that
    isn't mission-critical, or at least a core competency, to focus on
    securing their critical internal information. "It may be
    counterintuitive to outsource perimeter security protection such as
    firewalls, IDS, or content inspection; however, service providers can
    do it cheaper through economies of scale, [and] managed security
    service providers can keep up with the change in technology, freeing
    you from that obligation."
     
    
    Mathew Schwartz is a security and technology freelance writer and
    long-time contributor to Enterprise Systems publications.You can
    contact Mathew Schwartz about Top Three Security Problems Remain
    Despite Increased Spending at Mat@private
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 18 2004 - 05:03:04 PST