I'd agree with Marc's assessment for the most part. One other issue I personally am seeing is that a number of the various Infosec companies out there are selling their products as an all-encompassing solution: there are IDS's that also do (generally broken) honeypot-type things, firewalls that do (pseudo-) IDS, VPN boxes that do (sorta kinda) firewalling... Sales people do such a great job of convincing PHB's / CIO's that their products are the best thing since Squeeze Cheese that entire budgets get spent on one part of the picture. Since (despite the hype) no one product out there can really provide all of the needed facets of a secure environment, a lot of (at best) partial solutions are being implemented, and those much-hyped "skyrocketing security budgets" are being sadly mis-spent, with staffing often an afterthought. An anecdotal case in point: one large U.S. company recently spent around $2 million (US) on IDS. The fact that they're monitoring several hundred sensors with a staff of two, that most of the infrastructure being monitored isn't secured in the first place, that minimal firewalling / segmentation is in place, is irrelevant in their view. The IDS company had the best sales guys, and they had a security budget to spend. Why not spend it all in one place? Staff, updated firewalls, network redesigns, and app security will have to wait till next year, assuming the same dollars will be available then. I guess my point is that even if the dollars are being spent, awareness is still at a low enough level that they're often not being spent wisely, and that folks in our field shouldn't expect things to turn around overnight. GLB and HIPAA are raising awareness, but it will take a few more years for companies to fully integrate security into their IT philosophy, and vendors selling a number of "bolt-on" solutions that don't require a fundamental change in approach, but provide next to nothing in "real" security measures (which require time and resources, more than anything else) are making it easy to overlook the staffing issue. --shawn -- Shawn Moyer Project Lead - Information Security Reinsurance Group of America, Inc. 1370 Timberlake Manor Pkwy. Chesterfield, MO 63017 Marc Maiffret wrote: > I definitely think there is a need for security and people are definitely > spending money on security (well at least security software, I know first > hand). > > Not all security companies are doing that bad, however a large majority of > them seem to be. > > I've been saying it for a while now but I think over the next year and a > half or so we'll see security companies start to tumble over like dotcoms. > Its not that people do not need security or that people aren't spending > money on security but there are to many half thought out ideas being turned > into companies. To many security consulting companies that lack anything > unique or most of the time, just plain lack any clue of what they are trying > to do or provide as a business. In the arena of security products it all > falls closer to the dotcoms for like the dotcoms you have many security > product companies developing products which they think are "cool" or "a good > idea (tm)" however "the market" (people with the cash) does not really think > those products are a good idea. Much like trying to have an online pet store > when no one wants one.
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 18:34:13 PDT