[ISN] Buying security products is often a waste of money

From: InfoSec News (alerts@private)
Date: Tue Feb 19 2008 - 22:37:43 PST


http://www.zdnetasia.com/news/security/0,39044215,62037937,00.htm

By Liam Tung
ZDNet Australia
February 19, 2008

Businesses waste millions of dollars trying protecting their IT 
infrastructure but too many investment decisions are corrupted by poorly 
applied mathematics.

"I believe that industry, by and large, is wasting money on security 
today," said Gene Hodges, CEO of security firm, Websense.

Hodges said the need to feel secure has lead to business making poor 
investment decisions when it comes to IT security. This has resulted in 
money being disproportionately allocated to preventing attacks on IT 
infrastructure.

"Attacks were, for the '90s and the first half of this decade, focused 
on the infrastructure and the bad guys' objective was to take down your 
e-mail system, to take down your network connectivity through DDoS 
attacks...that's why we bought firewalls and antivirus, IDS and IPS.

"I think spending money on classic infrastructure security gives you a 
sense of security, but actually, you know ...it doesn't matter that 
much," he said.

Hodges' comments echo those of security guru Bruce Schneier, who 
recently warned business to avoid getting "caught up in the feeling of 
security, driven by fear".

But this doesn't mean that spending on security is a waste of money, 
according to Hodges, who said that overzealous budgets for securing 
infrastructure are wasteful because their relationship to a company's 
financial performance is more tenuous than say, data leakage.

"So what if some IT guys have to work over the weekend to clean up 
laptops. I mean, I'm sorry to say this but you know that's generally the 
way a CEO would feel.

"On the other hand, that same CEO, if he thought he was going to be 
embarrassed and the stock price depressed through a major data leak, he 
would be very happy to make that investment--and I think that's well 
beyond the feeling of security," Hodges told ZDNet Asia sister site 
ZDNet.com.au.

Schneier said that another problem faced by administrators is knowing 
how much security products are worth.

"If you've ever see one of those ROI models, what they do is measure the 
cost of an attack and then multiply it by the probability of an attack 
to give you how much money you should spend--this is how all insurance 
companies build their business model," Schneier told ZDNet.com.au in an 
interview.

"Maybe your reputation is worth US$20 million, or maybe it is only worth 
US$10 million, or maybe it is worth US$40 million. Suddenly I can 
completely perturb your budget--because the numbers are so big and so 
small, that minor changes perceptually make huge changes to the product. 
So I can make an ROI model say whatever I want," he added.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Feb 19 2008 - 22:44:55 PST