Security: Do We Really Know What We Are Doing?

Friday, October 15, 2010

Andy Willingham


Fishnet security recently published Survey of Security and Data Trends.

They surveyed IT professionals from Fortune 1000 companies to get the answers to 3 major questions:

  • Where do we stand compared to our peers?
  • What security issues should we be concerned about?
  • Which people are must-have versus nice-to-have?

Let me say that I’m not a big fan of such surveys. Usually they don’t really give us much in the way of real information that can help us in our day to day lives.

I’m hoping that this one continues in that tradition. Why, you ask? Because if what I see in here is true then things are worse than I feared.

Before I get too far into this I have to give props to Gunter Peterson. He is the one who pointed me to this survey,  saw this item of concern and brought it to my attention.

The problem here is in a couple of the findings that came to light when you look at the list of top security concerns:

  • Mobile computing 69%
  • Social networks 68%
  • Cloud computing platforms 35%

Then when you compare them to the top security investments:

  • Firewalls 45%
  • Antivirus 39%
  • Authentication or anti-malware 31% each

There is a big disconnect there. When you have a group of people saying that they are concerned about certain threats but their spending doesn’t match up then you have a problem.

Why spend money on technology and controls that don’t address the things that you see as you biggest threats? Why? It just doesn’t make sense.

Or possibly it tells a different story. Is this a story where companies are just spending money for the sake of spending money?

Are they buy things that they are comfortable with instead of things that could actually give them some positive results for their spending? Do you like the way I avoided using the term “ROI”. :)

If this is actually indicative of real life happenings, then it doesn’t paint a very pretty picture of what we as a profession are doing?

It seems to suggest that we are a long way from being useful for what we are paid for. It also suggests that we possibly have a lot of people filling the role of Security who aren’t really qualified to fill that role.

People who are not thinking outside of the box, but instead are thinking “what can I do that makes it look like I’m doing something?”.

Maybe, and hopefully, I’m wrong.

Maybe those who filled out the survey are not the ones who are making the decisions, and aren’t the ones who really should have filled out the survey.

Maybe we will all wake up and discover that it’s all been a bad dream. :)

Cross posted from Andy IT Guy

Possibly Related Articles:
Security Management
Post Rating I Like this!
Terry Perkins Hopefully, bad dream, indeed!
Lee Mangold So what are the expensive options for mobile phone security? I can spend 30k on a firewall, but how much does it cost me (parts, no labor) to equip everyone with a BlackBerry and get a BES? As far as my mobile device is concerned, that's a firewall, policy management, and capability for less than a firewall!

The numbers are skewed in that they don't account for the availability of solutions. There are thousands of firewall security solutions...but maybe 10-20 mobile device security solutions?
Allan Pratt, MBA Good post, Andy, it's up to all of us security pros to overcome the disconnect. I also recommend reading the entire report from Fishnet Security.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.