Security threats take backseat to budgeting

by Steve Ragan - May 15 2009, 17:15

Despite the growth of Malware-related threats on the network, massive bot-driven Spam, and Web application exploitation running wild, some businesses actually reduced their IT security budgets in 2008.

Interestingly, a new report shows that 60 percent of businesses surveyed claim they are falling behind on keeping up with security, or at least catching up to security standards overall. So why cut the budget, then? 

Companies in the TMT (technology, media and telecommunications) industries slashed investment dollars spent on security in 2008, a new survey from Deloitte Touche Tohmatsu reports. The third edition of the Deloitte TMT Global Security Survey reveals that 32 percent of respondents reduced their information security budgets, while 60 percent of respondents believe they are "falling behind" or still "catching up" to their security threats. This figure, the survey results report, is a significant increase from 49 percent over the previous year.

"This year’s results indicate companies are explicitly scaling back," said Irfan Saif, a principal in Deloitte & Touche LLP’s Audit and Enterprise Risk Services practice. With funding decreasing and threats increasing, it is important for TMT companies to be highly cost efficient in addressing their security risks, he added.

"Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate," said Saif. 

That’s the problem with risk management. The Tech Herald explored this topic with vendors during RSA and recently during a host of interviews with several experts.

While the resulting article is still being developed, the overall point is that businesses fail to grasp the risks to their business models. Risk management is not something to take lightly -- it’s more than just throwing software or money at a problem -- a business needs to know which threats are the most dangerous and what makes up an acceptable risk.

For example, there's simply no way to protect a network from every known Malware threat. Yet, businesses spend huge amounts of money on anti-Malware solutions. While anti-Malware is needed as a layer of protection, often when it comes to new networks and expansion, businesses will depend on anti-Malware solutions to prevent data loss, protect applications, and watch end users. This is a main selling point to UTM (Unified Threat Management) solutions offered by almost every major security vendor.

While a UTM solution can cover Malware and some levels of data leakage, where are the stopgaps? Will a UTM stop an employee from storing information on an iPhone or iPod in order to continue working at home? If it does, will it stop the users from accessing an external e-mail account to send documents and forms to others? Will it prevent Malware from coming in on attached storage or e-mail or Web-based threats?

Some UTM solutions can do some of these things, but not all of them, and not 100 percent of the time. This is why risk management is so important, businesses need to know what's most valuable and how it can be protected, simply defending against the latest risk, and only that risk, is useless. Buzzword security always fails.

Since spending is down, investment in risk management research should go up. This way, businesses can get more for their money and truly focus on what is important to the overall business model.

Around the Web