Jeremiah Grossman posts on what's likely the most important enterprise security issue - budgeting. Specifically, he breaks down what Information Security spends on Infrastructure security (like network security and firewalls) versus application security. Even though the attacks come at the application and data level, the Information Security community still continues to spend on infrastructure security.
I have done similar analysis as Jeremiah and through different means arrive at the same conclusion - you cannot find a technical, business risk justification for the percentages spent on infrastructure security. Why then is the security is the budget consumed (to the tune of 80% using Jeremiah's number) in infrastructure? Infrastructure and networks are the background of information security people, its their comfort zone. Why change? When you ask about application security they say "we got it covered", application security is not budgeted, not planned for, not executed, not measured, but somehow "its covered." What this generally means is "don't ask, don't tell." It most assuredly does not mean that it's covered, just means no one has looked or tried, its easier to go to Defcon/Blackhat and trade war stories about threat du jour and developers who "don't get it."
Here is a fun exercise for people going to the RSA show. Walk around on the floor and count how many infrastructure security booths you see, and then count how many application security booths you see. Make note of the percentages. Then when you get back your company, walk around the infrastructure group and then walk around the development group (and don't forget to count the 2,000 developers you have in India). I bet in each case they'll be off by at least an order of magnitude.
One last thing - its one thing to look at the industry numbers, but I have done this several times inside of companies. Breaking down the budgets into these categories is a pretty straightforward exercise for a single company, spend an hour with your finance person (note - I am more than a little surprised that some smart industry analyst like Andy Jaquith hasn't done the same for the industry as a whole but whatever). Once you pull these numbers from your budget for your company about what your infosec department is actually prioritizing - it tells a powerful story. Its almost always a story of misaligned priorities and missed opportunity for security improvement. You don't have unlimited funds, invest them wisely.
While checking the RSA booths, another fun thing to count is how many booths are fixing some other product's security problem, compared with directly providing security value of their own.
Posted by: Andrew Yeomans | February 19, 2010 at 01:09 AM
I think there's a bit more to it than just the background experience of security people:
For one, walling off your garden is a much simpler concept to explain to management than making your garden intruder resistant.
For another, network security equipment can be booked as a capital expense, while developer time is an operational expense, and capital expenditures have accounting and tax benefits you don't get for operational expenditures.
Posted by: Maarten Hazewinkel | February 19, 2010 at 02:16 AM
I think these days most infrastructure devices include some sort of application security layer too, which makes the budgeting exercise a bit more difficult. For example, Snort IDS ( and commercial IDS) are capable of looking at web application attacks to some extent. Also, Cisco security devices have inbuilt application layer security built into them, which is somewhat limited, but nevertheless, I think with Threat Management Gateways gaining more hold in enterprises, the line between infra and app sec is becoming thinner.
Just my thoughts.
Posted by: PitvoalSec | February 19, 2010 at 12:50 PM