Maybe its budgeting season or something but lots of people are talking about it. I re-ran my back of the cocktail napkin Security Budget calculation (one problem with doing this type of analysis during the day is no cocktails)
I used the publicly reported annual revenue for Network and Software companies. For Network investment I used Cisco and Juniper to get a rough idea of how much enterprises spend on network gear. For Network security I used Checkpoint and Sourcefire.
Annual revenue
Cisco 40,000,000,000
Juniper 3,300,000,000
Total 43,300,000,000
So a rough estimate of Network budgets is $43B. Now what will companies pay to insure the security of those assets?
Checkpoint 924,000,000
Sourcefire 100,000,000
Total 1,024,000,000
So $1b in security to protect $43b worth of assets works out to 2.4% spent on security, or for every dollar you spend on network gear you spend 2-3 cents on securing it. (note - this is not exact, for example obviously Cisco and Juniper sell security gear and so if we strip that out of the Network asset and put in the security line then we'll get a higher percentage spent on network security (note- if anyone has the breakdown I will re-run the calculation))
No for applications, what do businesses spend on application development and operations, for this I used the big software houses - Microsoft, IBM, Oracle and SAP.
Annual Revenue
IBM 95,000,000,000
MSFT 62,000,000,000
SAP 10,000,000,000
ORCL 26,000,000,000
TOTAL 193,000,000,000
Software is big business these four companies come out around $193B combined. (Note I realize that this is not exact either but while I think Cisco and Juniper cover the majority of Network budgets, in the software cases I am quite certain $193B is very low it does not include myriad of small-medium size players or the humungous outsourcing shops, but its a good enough number to prove the point)
There are precisely zero pure play publicly traded software security firms - which should be the first clue that something is amiss here. But given various estimates let's use $500M as a rough approximation for static analysis, black box scanning tools, and the like. Where does this leave us? It leaves us with 0.26% spent on application security.
The uncomfortable conclusion here is that the People's Republic of Information Security has spent its money inversely prioritized to the business budget priorities. Infosec spends the more of its budget on lower valued assets. This probably explains among other things the lack of progress in infosec, and the inability to show a business case, when your top priority is a seventh layer of features on a 1995 era network security architecture and you leave $193B flapping in the breeze.
Its long past time to hit Ctrl-Alt-Del on the security budget, I propose the Infosec Flat Tax as a better way forward. I hope that CIOs will read this post, do their own math, and have a frank debate with their security teams.
There are no big public pure software usability, software safety, or software packaging firms either. That's partly because—even though we can convince ourselves that we can add security to a network after the fact—nobody involved in securing software believes such is possible for software.
Posted by: Brian | January 12, 2011 at 08:56 PM
What about McAfee and Symantec? My organization certainly isn't sending them hundreds of thousands of dollars per year because we like their logos. I'm pretty sure that we write them checks because they make an attempt at securing our software.
For the software companies you've listed, you'd have to take a stab at sorting out the fraction of their resources that they spend on security within their product suite. Oracle, for example, has a long list of security addons and features which presumably cost them time an money to develop, test, etc.
You also discount the internal software development costs related to writing secure applications. Presumably somebody, somewhere is doing internal code reviews of the software that they wrote....
I'd say you have to do a bit more work before flinging out numbers like these.
Posted by: Michael Janke | January 13, 2011 at 07:44 AM
@Michael
I think I am pretty conservative in estimating the size of the software indsutry, it could be fair to look at Symantec and friends against Microsoft, but they don't really do anything to protect SAP, Oracle, IBM or any of the others.
It is a cocktail napkin after all, but I am pretty confident that 1) I have covered the majority of the network market and 2) I have not even covered HALF of the software market (no Apple Google, HP Outsourcers, Salesforce, on and on) . So if anything in "flinging" these numbers out, I have tried to be overly fair to the network side and underestimate the software side (in terms of assets). Nevertheless the results are still damning.
Posted by: Gunnar | January 13, 2011 at 07:58 AM
I'd guess this is another variant of Mythical Man Month: the need for specialized Security Software is too abstract for 'Bean-Counters', so they just buy more hardware.
Posted by: Brian B | January 14, 2011 at 06:12 PM
Firstly sorry for showing up late to this thread. Your tweet about Montier caught my eye (though the WSJ link was broken :(
I think we're on the same page here. I wrote some time ago about information security being 'Pareto inverted' - http://wp.me/pwN6G-5
@Brian is spot on the application security should be built in rather than bolted on, but @Michael is also right that there's a healthy (and somewhat publicly traded) market in bolt ons above the network layer.
I see two problems here in the transition. The first is simple inertia - we can't stop doing the network stuff. At the very least it 'keeps the lumps out' as an old colleague of mine (now at Juniper) used to say. Also the regulators won't let us give up the old defences. The second is verifyability. Bolt on solutions provide a simple place for auditors to insert a check, and check a box. Built in solutions require built in understanding, and we don't really have the tools for that yet.
Posted by: Cpswan | January 21, 2011 at 02:58 AM
@cpswan to fix ongoing misallocation of security budget dollars solution is to pay less, pay 50 cents on the dollar for 1995 tech
Posted by: gunnar | January 25, 2011 at 07:06 PM