Taking the Next StepsBy Ericka Chickowski | Posted 2008-06-02 Email Print
The security risks IT managers worry about the most aren’t the same ones they spend their company’s money on. What’s going on? Baseline set out to get some answers.
Taking the Next Steps
Once an organization moves beyond the stage of identifying threats, it becomes a matter of finding the right technology, getting the budget to buy it and putting proper processes in place to support the system. All of that takes time.
“If people tell you there is a disconnect—that even after seeing considerable risks in certain areas, they’re still spending money somewhere else—then you need to ask whether they can shift some of the money around—maybe in stages,” Bhatt says, “I’m not saying you have to stop buying anti-virus or any other solution, but maybe you could balance it somehow.”
There have been two challenges keeping IT leaders from asking for these changes. First, some of the newer technologies designed to address recently identified risks such as data leakages had been too immature or too expensive to invest in. Even when a technology is ready for widespread implementation, it is often difficult for many security practitioners to justify additional costs beyond the current budget items with which nontechnical executives are familiar.
“The obvious things that you can see day to day—anti-virus software, spam protection and firewalls—have been getting the most attention,” Bhatt says. “An average Joe knows about viruses and firewalls, even if he isn’t in IT. The first thing everybody says is that you’ve got to have a firewall and even the PCI data security standards. So everyone spends more money on those things.”
This attitude (often held by the executives who hold the purse strings) that anti-virus software and firewalls are indispensable and everything else is under discussion can be self-perpetuating, primarily due to the craftiness of resourceful security managers. As Robert Ayoub of research firm Frost & Sullivan explains, some of the newer technologies often get stuffed into old budget categories, such as firewalls or anti-virus software, either because they’re too new to have their own category or because the security manager wants upper management to sign off on them with as little fuss as possible.
“There are definitely folks thinking beyond the firewall, but some of the newer technologies that don’t have a budget item are cannibalizing other budget categories,” explains Ayoub, who analyzes security trends for Frost & Sullivan. “Sometimes you have to really dive in to get some visibility and ask, ‘Was this really anti-virus spending or something else?’”
*View the research that was the basis for this article.
Often, though, an organization really does spend that much on traditional security technologies. The high maintenance costs of anti-virus software and firewalls still continue to drain the security budget at many enterprises. In fact, some experts question whether security should be forced to continue shouldering these costs.
“I’ve seen some organizations take these items out of the security organization’s budget,” says QuietMove’s Muntner. “Firewalls are basically just a piece of the network infrastructure now. They used to be a security point product, but they aren’t anymore, as more of these first-generation security features are built into common infrastructure devices. Why not shift the cost into operations, so the security department can spend its time as a control organization?”
This approach is controversial, and some industry practi-tioners believe it’s simply a way to move money from one fist to another. ARC’s Bhatt says he’d rather keep these items in his budget so he has a clear picture of how much security is costing. He suggests that security managers do a better job of managing their vendors and containing the costs.
“If anti-virus technology has almost become a commodity, you need to figure out how to shop around,” Bhatt says. “You’ll find that it’s all signature-based, and there are tons of people selling inexpensive software to cover that area.” He adds that security leaders need to get better control over the types of technology they’re using and the cost, which will make it easier to ask for additional budget to fund important new initiatives.