The March 2003 Business Communications Review has a small article about Security spending on page 6. The basic idea is that while analyst expect businesses to spend 6% - 10% of IT budgets on security the reality will likely be more like 3% this year. Why?

Security attacks on the network continue to increase every week. Port scans are a constant reality. Troy says that the UEN network is never scan free for more than five minutes. Last weekend I received a message from Pete indicating that we were blocking 20 Mbps of traffic from the deloder attack. He speculated that between deloder, slammer and other nefarious activities that we are blocking three or four times that amount. So why aren't we investing in Security?

I think I'm beginning to understand. Or, more to the point, I'm realizing that we don't understand what it will take to make serious inroads in securing our networks. Security is a very Human Resource intense activity. We need to hire more security geeks. Yet new FTEs are the most difficult expenditure to get approved. This is especially true in the private sector.

Buy all the new PCs you want. Get that new software. Sure, we can send you to training. We need what? A new, expensive, security geek. Sorry, no way. Of course, another part of this problem is that there may not be enough qualified security geeks to go around. The skills are quite specialized and it takes a certain type individual to really "get it".

I believe that we will not make any headway in the fight to secure our networks until we make a major investment in hiring security employees. That's right, employees. As in plural. The University of Utah has taken this approach. There are four full time security employees to handle issues on campus.

Tools are free or cheap. They run on inexpensive hardware. It's the eyes to see and the brains to analyze and address issues that are most needed. Corporate America better figure this out soon and begin to invest in the people. That is the first and most important step in getting serious about security.
9:51:26 AM    comment []