Security Watch | Matt Hines » Getting more bang from your IT security bucks

October 04, 2007 | Comments: (0)

Getting more bang from your IT security bucks

TAGS: Security

It's no secret that enterprise customers are getting fed up with how much money they're spending on security these days, but one analyst claims that many businesses could get a lot more out their investments by simply choosing technologies more wisely and taking a closer look at the projects they're involved in.

At next week's (Oct. 7-12) Gartner Symposium/ITxpo 2007 in Orlando, Neil MacDonald, a longtime security analyst who also wears the title of "fellow" at the research firm, will give a presentation (Tuesday at 8 am) dubbed "Fifteen Ways to Spend Less and Become More Secure" during which he'll outline his concepts.

Lucky for all you Zero Day readers who aren't paying to attend the show, we got a sneak peek for free.

According to MacDonald, current enterprise security budgets are "all over the map" with spending ranging anywhere from 3.5 percent of companies' overall IT purses, to as much as 20 percent, with the average being something close to 11.7 percent.

While vendors might not like to hear it, the analyst said this illustrates that many companies are overspending significantly, as he estimates that an intelligent security budget should account for anywhere from 3-6 percent of overall IT spend.

Yet, with all the varieties of threats out there and the pressure to open up infrastructure to greater numbers of shared services and business partners, clearly the process of defending corporate IT assets and data is becoming even more challenging.

"People want to open up more and the attacks are getting harder to spot, but, the spending that's going on just can't continue like it has -- the spending trajectory cannot continue to increase unabated," the analyst said. "What we have now is almost a worst case scenario from a business and management perspective."

Some of MacDonald's tips for reigning in spending follow:

-Companies should take a more process-based approach to security -- addressing different problems cannot be approached as a set of projects, it should instead be handled as a set of processes, he said.

For instance, when dealing with configuration management, MacDonald recommends that companies employ a strategy of looking at the configuration and vulnerability status of every device on the network from a process standpoint before investing in automated tools to address problems.

"Without a process, you can't accurately isolate the right technologies to help automate, there are good tools out there, but you have to investigate which ones fit your environment the best before buying," he said.

-Companies should avoid high-cost projects.

Many high-level, expensive projects that have become popular in recent years -- including single sign-on, risk dashboards, digital rights management and ID access management -- aren't worth all the effort and spend some companies are throwing at them, while the analyst believes that the problems they aim to solve can be addressed in faster, cheaper ways.

"Companies need to stop chasing rainbows and unicorns on projects that never seem to end and have a life of their own," said MacDonald. "A lot of these things have become perennial budget items when in reality they are typically only aimed at getting patchworks in place until better industry solutions arrive."

"For something like single sign-on, companies can use Active Directory; DRM among trading partners might not be feasible to build or sustainable for the long term. Companies should limit that type of project only to people who really need it, for specific groups of workers."

-Ditch best-of-breed for integrated security tools when possible.

It's nice to have leading-edge products for every aspect of security, but it's not practical for anyone but the largest companies who can afford the technologies and the people necessary to do all the integration and management, said the analyst. Endpoint security is one area where there are already opportunities to consolidate security tools, he said.

"The emerging security platforms that pull multiple types of functions into a single product are the biggest area of cost savings we've researched," MacDonald said. "If an organization is using multiple products to defend different types of applications, or the endpoint, they need to centralize and take a closer look at some of the converged products, including those that address security from the operational side."

-Employ internal applications security testing tools during the development process.

With development giants IBM and HP snapping-up apps security specialists Watchfire and SPI Dynamics, respectively, to add testing to their platforms, it will soon become easier for developers to build security testing into their work.

No matter what tools you choose, MacDonald said that making sure that applications have as few code vulnerabilities as possible before they go live can equate to significant savings in money that might be used to protect them after-the-fact.

"This idea seems like a no-brainer, but it's harder in reality because it involves a cultural change in terms of who runs the security tools and who tests the applications," he said. "However, pushing more testing into the development process itself can make a huge difference in the long run. With the acquisitions by HP and IBM, I think there's also some hope for making the transition easier by building the tools right into the development platforms."

Posted by Matt Hines on October 4, 2007 10:04 AM

RATE THIS ARTICLE: