There's good reason CFOs (and everyone else who signs off) chafe when it comes to enterprise security spending -- it's not just a cost center, it's a gigantic, budget-sucking vortex. And now the numbers are in to back up what 'til now had been mostly just suspected or anecdotal.
Nearly 80 percent of security products fail to perform as intended when first tested -- and most require two to four cycles of testing before achieving certification, according to a study authored by ICSA Labs and Verizon Communications Inc. (NYSE: VZ). Further, the testers said approximately 20 percent of products struggle to accept software patches correctly, and new security products have more problems than established ones.
ICSA said it used data derived from 20 years of testing anti-virus software, network and Web application firewalls, intrusion prevention systems, Internet Protocol Security (IPSec), Secure Sockets Layer (SSL), and assorted custom programs.
Maybe these findings won't be particularly surprising for IT security pros. "Across seven product categories, core product functionality accounted for 78 percent of initial test failures -- for example, an antivirus product failing to prevent infection or an intrusion prevention system product failing to filter malicious traffic," reports sister pub Dark Reading. And quite apart from the worry such results might provoke, doesn't it also suggest that most security purchases are going to be riddled with hidden costs?
The news doesn't get much better. ICSA reports that 58 percent of these failures came from security products' failure to completely and accurately log data. "The report findings suggest some vendors and enterprise users consider logging a nuisance," DR noted, adding this is a particular challenge for firewalls: "Almost every network firewall (97 percent) or Web application firewall (80 percent) tested by ICSA experienced at least one logging problem."
All this suggests that enterprise security -- acquisitions, maintenance, upgrades -- is a money pit. Good security isn't necessarily a competitive differentiator or gateway to new revenue sources, but few are willing to really put that to that test and risk bad security. Good security, as many have noted here on Internet Evolution and elsewhere, is about avoiding costs -- of lost customers, share prices affected by a data breach, proprietary data lost to or stolen by third parties and hackers, state and federal fines, and other factors.
As our reliance on Web applications and the Internet grows, security will continue to be a spend-y proposition. Will cloud computing alleviate security costs and concerns? I don't think so -- cloud computing will just displace all this onto the cloud provider. But whether you keep it in-house or go the cloud route, security will continue to exact its hefty premium, despite the shrugs and grumbles over the cost of doing business in a networked world.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. To join the Security Clan,register here.
I agree that a tool is only as good as the carpenter who weilds It. A hammer can be used to build fine furniture. Or to tear down a house. But you wouldn't expect a demolition expert to build a china cabinette. Look into some of the intrusion prevention systems. Many recommend letting it sit in the network for a week or four to see what normal traffic looks like before you implement the filters. Meanwhile your network has a full-blown solution and your network is completely defenseless.
Plus most EULA statements completely absolve the seller for a system failure. Even if you follow all instructions to the letter. Plus the fact that you never buy a solution. You just lease it. If you lease a car and it blows up and kills your employees, you have a legal recourse. But if your firewall drops sync and allows your network to be destroyed, you say caveat emptor.
There are inferior products on the market. But no way to weed them out without paying a consultant to recommend a product. Or conducting an in-network appraisal before you buy. But even the you need an inhouse SME, to determine the winner.
The security mantra has been echoing long and loud. Big money buys big security. If you want security, pay me now or pay the hackers later. While i agree there are many unseen costs behind the scenes. Too many security corps are trying to make a killing and not just make a living. First they sell you a product license, with an expertrly writen law-tight contract that gaurantees if their system fails they can't be held accountable. Then there is the upgrade insurance and maintenance and service and support agreements. And of course this agreement expires and must be renewed annually. By the time you get out the door, your Yugo solution costs more than the Cadillac you passed on.
Not to mention the problems that arise from people worrying about the false positive causing a business interuption so the purchasers leave some functionalities disabled.
Don't get the idea that I'm against capitalism. But some of these security vendors are going to price themselves out of business.
I'm curious how many of the companies surveyed put in the shiny new tool with unrealistic expectations? In the anti-virus case, did they actually implement it according to the vendor's best practices? Are they using any kind of defense-in-depth? Did they just think that this tool would protect them and they didn't have worry about patching or user training?
There are so many variables in security that any number of things could have contributed to what appears to be a failure of the device, but actually points to flaws in the purchase and implementation processes. Everyone here knows that you can't just implement a security tool and expect it to work flawlessly out of the box. The admins need to know how it works and what risks it will actually mitigate. Plus they need to make sure that before they even embark on the project they understand what risks they actually face.
Sure vendors need to get better at actually delivering what they promise, but there should also be a certain amount of "buy beware" as well.
Uh-oh, Chris -- is an ardent free-market advocate like you actually calling for more government regulation? Let me buy you a drink. ;->
Maybe anti-virus software and firewalls need to come with a LONG list of possible side effects: "Virus-B-Gone 6.0 may cause CEO crankiness, puffiness, bloating, data center gas, skin rashes, insomnia, nausea, vomiting, headaches, killer overtime hours, ruined weekends, spoiled vacations, marital strife, road rage, and other unspecified disorders. Use only as directed."
My point exactly, David -- time and energy are indeed money, and enterprise security just looks like a series of rabbit holes or blind alleys that drain productivit and budgets. It's surprising, given the emphasis and importance attached to ROI/TCO that accompanies all other IT purchases.
Despite being on opposite sides of the technology spectrum, I see a direct correlation between enterprise security and biotech industry bringing a new drug to market.
Biotech companies and big pharma for that matter create some cure to combat a disease much like Internet security firms try to combat viruses, malware etc.
The biotech firms spend tens of millions of dollars doing R&D just as the ES firms do.
The biotech firms then spend more money bringing the drug on line, ramping up their facilities for production.
Then the clinical trials must pass multiple stages of safety and productiveness in curing that specific disease just as does security software.
Costs continue to escalate when the FDA conducts Phase I, Phase II and finally Phase II trials for any drug to get to market. This is much like the beta testing that continually goes on for the software product to pass tests to assure that the product meets certain security standards and safety requirements.
So, the point that I think I'm trying to make is, just like the biotech field it's part science, part luck but without question it requires both time and money to really bring a quality product to market without taking any shortcuts. This is a process that needs constant tweaking and perfecting.
It seems far too many companies do not take Enterprise Security with the same vigilance that biotech companies do thanks largely in part to the rigors of the FDA. Maybe firms should put more effort and commitment into putting out a successful product rather than throw money at a problem and expect that to be the cure.
So true Terry. Year after year IT spends more and more on security and yet we are no safer. In fact the gap is widening. The Internet is a 'Digital Pearl Harbor' and I agree, the cloud won't solve that problem.
The conundrum is that without that spend we'd be even worse off.
While security has a hard dollar cost, I think that the damaging impact on time/innovation is just as serious.
I consider all the time IT staff spend on security is time they are NOT spending on new solutions or innovations for business.
Is IT putting 100% of the resources on a new CRM system or a new way to assist customers - no they are spending too much time on security.
In many senses security is all about defense and you have to have a good defense - but a good defense rarely wins a game and in the business world it rarely means victories for the bottom line.
Money, time and energy all go into the PIT. Every day it's a shame that so much is spent because so many people are willing to be dishonest.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
If you were serious about good dental hygiene, you wouldn't floss, brush, then gargle only to tear into a package of Oreos five minutes later. Why, then, are so many of the world's biggest companies essentially doing the same thing where enterprise security is concerned?
Since security startups that scan baggage and passengers are all the rage now, this is probably as good a time as any to reconcile ourselves to racial profiling and other stereotyping that will come with them.
Google (Nasdaq: GOOG) is engaging in some very high-stakes gamesmanship, and it's picked an appropriately formidable opponent in the shape of the Chinese government.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
