Dollars and sense: Application security
Dollars and sense: Application security

Though it is difficult to quantify ROI for security initiatives, investment in application security is logical for the enterprise, reports Jim Romeo.

In the past year, the University of California, Berkeley, has doubled its security budget – already in the millions – to guard against a multitude of network intrusions attempted every single day. 

Like many other organizations, the school depends on extensive collaboration with developers and stakeholders, and uses sophisticated applications to solve complex problems. The preeminent challenge, however, is ensuring that these applications are capable of withstanding exploitation from external actors intent on absconding with valuable proprietary and student data. 

As application security continues to face challenges, so does corresponding spending to safeguard against known vulnerabilities. Which tools and technologies organizations invest in is a critical concern, though many point out that security objectives are often misaligned with actual needs. 

A recent survey of 110 diverse IT organizations – sponsored by Oracle and conducted by IDG Research's CSO Custom Solutions Group – found that “most IT security resources in today's enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business.” While the findings indicate that nearly 66 percent apply an inside-out security strategy, only 35 percent base their strategy on outside-in protection.

When it comes to actual spending, 67 percent of IT security resources – including budget and staff time – are allocated to protecting the network layer, and a mere 23 percent of resources were allocated to protecting core systems like servers, applications and databases, according to the same research. The study found that the majority expect to spend the same or more this year as compared to last, while next year, 59 percent expect to spend at an even higher level  than at present. In fact, according to separate research conducted by Gartner, spending on IT security will top $86 billion by 2016.

David Canellos, president and CEO at PerspecSys, a McLean, Va.-based cloud data protection gateway solution provider, advises his clients to inventory their company's applications and data to know what is truly sensitive. He emphasizes the importance of mapping a security strategy to capital outlay. “The first step is to create a solid IT strategy to drive their investment road map,” says Canellos.