logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 322 days ago
Via: http://lists.jammed.com | Tags: isn buying security products waste money comments Discuss  


http://www.zdnetasia.com/news/security/0,39044215,62037937,00.htm



By Liam Tung

ZDNet Australia

February 19, 2008



Businesses waste millions of dollars trying protecting their IT

infrastructure but too many investment decisions are corrupted by poorly

applied mathematics.



"I believe that industry, by and large, is wasting money on security

today," said Gene Hodges, CEO of security firm, Websense.



Hodges said the need to feel secure has lead to business making poor

investment decisions when it comes to IT security. This has resulted in

money being disproportionately allocated to preventing attacks on IT

infrastructure.



"Attacks were, for the '90s and the first half of this decade, focused

on the infrastructure and the bad guys' objective was to take down your

e-mail system, to take down your network connectivity through DDoS

attacks...that's why we bought firewalls and antivirus, IDS and IPS.



"I think spending money on classic infrastructure security gives you a

sense of security, but actually, you know ...it doesn't matter that

much," he said.



Hodges' comments echo those of security guru Bruce Schneier, who

recently warned business to avoid getting "caught up in the feeling of

security, driven by fear".



But this doesn't mean that spending on security is a waste of money,

according to Hodges, who said that overzealous budgets for securing

infrastructure are wasteful because their relationship to a company's

financial performance is more tenuous than say, data leakage.



"So what if some IT guys have to work over the weekend to clean up

laptops. I mean, I'm sorry to say this but you know that's generally the

way a CEO would feel.



"On the other hand, that same CEO, if he thought he was going to be

embarrassed and the stock price depressed through a major data leak, he

would be very happy to make that investment--and I think that's well

beyond the feeling of security," Hodges told ZDNet Asia sister site

ZDNet.com.au.



Schneier said that another problem faced by administrators is knowing

how much security products are worth.



"If you've ever see one of those ROI models, what they do is measure the

cost of an attack and then multiply it by the probability of an attack

to give you how much money you should spend--this is how all insurance

companies build their business model," Schneier told ZDNet.com.au in an

interview.



"Maybe your reputation is worth US$20 million, or maybe it is only worth

US$10 million, or maybe it is worth US$40 million. Suddenly I can

completely perturb your budget--because the numbers are so big and so

small, that minor changes perceptually make huge changes to the product.

So I can make an ROI model say whatever I want," he added.





___________________________________________________

Subscribe to InfoSec News

http://www.infosecnews.org/mailman/listinfo/isn





addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security