Organisations should aim to spend less of their IT
budgets on security, Gartner vice-president John Pescatore told the
analyst firm'sLondon IT Security Summiton 17
September.
In a keynote speech, he said that retailers typically spend 1.5%
of revenue trying to prevent crime, then still lose a further 1.5%
through shoplifting and staff theft, costing 3% in total.
But Gartner's research suggests that the average organisation
spends 5% of its IT budget on security, even with
disaster recovery and
business continuity work excluded, and IT managers are tired of
requests for more. Security has dropped from first (in 2005) to
sixth (in 2007) in the firm's annual survey of chief information
officers' technical concerns.
Pescatore said that managers are not impressed by the claim that
"security is a journey" without a destination. "Can you imagine,
'profit is a journey?'" he asked, pointing out that other areas of
IT are often able to offer their organisations more functionality
for less money, or some other kind of business benefit.
Growing efficiencies could be possible for IT security too. "I
really do not think most of us need more and people," he said, if
organisations moved to a model he called "Security 3.0". In this,
IT security would anticipate threats, rather than fight them after
they hit.
"We have been doing 'smack the rat' security," he said,
referring to the fairground game, but in future the model should be
chess - a longer-term test of strategy, rather than reaction
speed.
Pescatore said ways to prevent problems rather than fight them
include buying and building secure systems, which means considering
security during procurement and development, and rejecting products
which are not adequately protected. This might mean spending more
initially, but prevention is cheaper than cure. "This is the single
biggest step," he said towards his model.
On data security, Pescatore told his audience that the ideal,
ubiquitous digital rights management system would not appear in
their working lifetimes. Instead, it makes more sense to watch
where data is flowing, and block it from reaching insecure
locations.
Getting to a mature stage of IT security will take many
organisations some time, Pescatore said. By 2010, Gartner estimates
just a fifth will have reached its "operations excellence" stage
where they spend just 3-4% of IT on security, while two-fifths will
still be in the previous "corrective" stage, spending 7-8%.
In response to a question, Pescatore dismissed the idea that
insider threats are growing. He believes that attacks generated by
malicious insiders are stable at 20-25%. Half come from mistakes
made by insiders, while about 30% of attacks are made solely by
outsiders, the majority of whom are cybercriminals.
This article first appeared on the website of
Infosecurity magazine.