Maybe its budgeting season or something but lots of people are talking about it. I re-ran my back of the cocktail napkin Security Budget calculation (one problem with doing this type of analysis during the day is no cocktails)
I used the publicly reported annual revenue for Network and Software companies. For Network investment I used Cisco and Juniper to get a rough idea of how much enterprises spend on network gear. For Network security I used Checkpoint and Sourcefire.
So a rough estimate of Network budgets is $43B. Now what will companies pay to insure the security of those assets?
So $1b in security to protect $43b worth of assets works out to 2.4% spent on security, or for every dollar you spend on network gear you spend 2-3 cents on securing it. (note - this is not exact, for example obviously Cisco and Juniper sell security gear and so if we strip that out of the Network asset and put in the security line then we'll get a higher percentage spent on network security (note- if anyone has the breakdown I will re-run the calculation))
No for applications, what do businesses spend on application development and operations, for this I used the big software houses - Microsoft, IBM, Oracle and SAP.
Software is big business these four companies come out around $193B combined. (Note I realize that this is not exact either but while I think Cisco and Juniper cover the majority of Network budgets, in the software cases I am quite certain $193B is very low it does not include myriad of small-medium size players or the humungous outsourcing shops, but its a good enough number to prove the point)
There are precisely zero pure play publicly traded software security firms - which should be the first clue that something is amiss here. But given various estimates let's use $500M as a rough approximation for static analysis, black box scanning tools, and the like. Where does this leave us? It leaves us with 0.26% spent on application security.
The uncomfortable conclusion here is that the People's Republic of Information Security has spent its money inversely prioritized to the business budget priorities. Infosec spends the more of its budget on lower valued assets. This probably explains among other things the lack of progress in infosec, and the inability to show a business case, when your top priority is a seventh layer of features on a 1995 era network security architecture and you leave $193B flapping in the breeze.
Its long past time to hit Ctrl-Alt-Del on the security budget, I propose the Infosec Flat Tax as a better way forward. I hope that CIOs will read this post, do their own math, and have a frank debate with their security teams.