Chasing Infosec Budgets and the Loch Ness Monster

Trying to get an accurate, unbiased reading of today’s Internet security arena is like trying to get a non-fuzzy, close-up and genuine photograph of the Loch Ness Monster.

All right... maybe it is not all that difficult a task, but typically overviews, statistical data and assessments about the infosecurity marketplace and its bevy of threats are driven by self-serving means; those conducting the 'research' want new customers to gain capital to grow the business to get more customers. Still, despite this cynical notion, some interesting views of the threat landscape and the emerging fixes to address various attack types often do emerge from these studies - especially if the work is offered up by non-biased consultants.

While not a formally released study, some statistical data that was recently shared with me showed some pretty intriguing happenings. "With all the talk about security trends - especially in the context of post Sept.11 - we thought it would be useful to share with you the nature of the security projects we've conducted in the first half of 2002," say Jonathan Gossels, president, and Brad Johnson, vice president, of SystemExperts Corporation.

First off, based on the work they have been doing over the last several months, they are seeing folks dole out the dollars on security very carefully. Companies are sticking to the course of frugality - for better or worse.

"Security may be getting a slightly larger slice of the pie, but, with rare exceptions, few companies are making major new commitments to address their security vulnerabilities," Gossels and Johnson note.

Now, this move could very well be seen by most security professionals as a potentially bad one. After all, the threats are not getting better. As a matter of fact, many experts say they are getting worse. All the hackers, virus writers and other cybercriminals parading around the Internet are pulling out all the stops when it comes to taking down companies, stealing critical information, pinching customer details and more, to either better their positions among pals or line their pockets.

As a result, Gossels noted in a recent telephone interview, "there is a broader corporate-wide acceptance of the importance of security." The problem is that folks just aren't spending the bucks ... or is it that they are not just spending their bucks haphazardly?

"Of particular interest is the fact that what companies are spending their security budgets on differs markedly from what is being written and talked about," contends SystemExperts.

Out of the 147 projects SystemExperts tackled between January and June for major financial institutions, universities, technology companies, retailers, entertainment companies and a host of startups and small organizations, a number of things became clear, they say.

First off, penetration testing and security audits are now one of the most important undertakings for businesses today. They have gone mainstream and "web and application-level testing exceeded perimeter testing for the first time." One can surmise from this that organizations understand that perimeters are just not important any longer, given that they don't exist any more.

Secondly, despite penny-pinching in a tight economy, "organizations are recognizing the value of having a coherent security architecture," say Gossels and Johnson. "Alternatively, they are recognizing the limitations of deploying point security solutions without an architecture."

Quite an interesting development, the next trend reinforces many vendors' experiences with potential clients nowadays. No longer are they meeting and greeting, then spending loads of cash on a tool they know little to nothing about. Instead, they're kicking the tires, doing the piloting thing and throwing inadequate solution providers out if they fail to deliver the goods. "Security reviews of new products, while still a small number, are one of our fastest growing types of projects," say Gossels and Johnson. "We believe this is a direct result of Sept. 11. Customers are asking prospective vendors to demonstrate that their products are secure."

Next, all the talk about wireless security issues may be for naught. "While the trade press is heavily focused on wireless security issues ... we're seeing wireless everywhere, but few major clients are using it in production environments," maintain Gossels and Johnson. Seems that these types of deployments are comparable to what was happening in 2001.

And, finally of worthy note, "few organizations are proactively preparing to deal with cyberattacks," say SystemExperts. "The percentage of projects related to preparing IT infrastructures to withstand and to respond to a security incident is unchanged over the past several years. We find this one of the biggest surprises of the first half of 2002."

But, is this finding such a shock? Most experts contend that while there has been a great deal of coverage in the mainstream press about security, especially since Sept. 11, companies are still failing to budge on implementation of tools that may help them in preventing an attack from taking them down in the first place. Heck, a huge number of businesses are missing the mark when it comes to application/server patching - an action that would help them to win half the battle against all those cybercriminals initiating attacks that take advantage of these very holes. Is it all that surprising that companies would fail to do the layered security thing then?

Plus, the economy is just crazy right now. Not all that many people are looking to spend money on too much of anything. After all, organizations may need it for some all-important business initiative that could help them be one of the lucky few standing after all the dust settles.

Oh, but wait a minute. Isn't infosecurity - protection of critical business assets - a sound business initiative that could help a company survive, maybe even excel when other organizations are dropping off the radar?

And, that, my friends, is the point.

All this talk about security and preparation/prevention of attacks is far from hype. Businesses rely on the Internet more than ever. Companies conduct their affairs electronically and then store the proprietary and critical remnants of these transactions digitally. So, why is it that they are failing to secure this stuff?

IT security is not a luxury to be reviewed during the next viable budget cycle. IT security is a business enabler that is pivotal to helping organizations maintain the electronic components that help them to make money in the first place. And, while that increased security awareness everyone is talking about may be getting security a bigger slice of the overall IT security pie, that pie is way smaller than was on the table last year. Companies need to dedicate more - more money, more resources, more time.

The business case for infosec should be crystal clear to organizations today. But, unfortunately, it just isn't there yet.

"Inaction is a good way to define it," says Gossels. "I think we've been lucky. It's amazing that we haven't seen more cyberterrorism since Sept. 11. ... I do expect with a catalyst event of any sort [the attitudes about security and associate spending] will change rapidly."

Whether it is some enormous, catastrophic Internet incident that will make that happen (let's hope not!) is unclear. But, one thing is for certain: once the corporate world's upper level executives do start to see the business need for infosec, there is bound to be a lot of long-crusading security gurus out there slapping their heads in disbelief - as if they've just seen the Loch Ness Monster sitting smack-dab in the middle of their desks.

Illena Armstrong is U.S. editor and global features editor for SC Magazine (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.