Carl Weinschenk spoke with Gunnar Peterson, managing principal, Arctec Group.
Weinschenk: You're suggesting that IT budgets and security budgets are out of alignment. Please explain.
Peterson: I started calling security functions the People's Republic of IT Security. It starts to operate by the rules it sets, but there is little overlap with what the business cares about. So if security executives are doing what they have always been doing regardless of where the business is going or threats that it faces, spending is guaranteed to end up in the wrong place.
Weinschenk: How do you fix it?
Peterson: Security folks need to begin by aligning their investments with the same priorities the business is investing in. What you'll see very often is businesses spend at least 10 times more on application development than networking investment. And you'll see that security is the reverse of that. They spend 10 times as much on network security than application security. There is no real technical reason for this. The notion is that information security is about managing risks for the business and that means protecting assets, databases, applications and systems. Their priorities are not reflecting investments to protect these assets. You see that again and again and again. I've done this for a number of clients, analyzing budget numbers The categories I use are the network, hosting, applications and data. I run the same numbers for security. You can do it in two to three days. The answers are very interesting. A lot of people have seen it empirically.
Weinschenk: How do you start building a case to confront the issue?
Peterson: You take the budget and prove it in numbers. When you look at how the business invests and see how security invests, many times it is the opposite. You have to ask questions about that. It's not a one-to-one match. That should be the starting point, and if you want to invest more in other areas, the burden is on you to prove [it is justified].
Weinschenk: These spending habits must be pretty deeply engrained. It must be a big challenge to turn it around.
Peterson: It is going to be hard to change some of these things overnight. The company has licenses, legacy investments. I would look to where the gap is coming from. When you look to resolve this, I think investing in training and awareness can go a long way. It can't completely solve the problem, but can help by [for instance] showing them how to write more secure code, training database administrators to configure their databases more securely. Doing that is not a huge investment, but ultimately having people helping to bridge the gaps is a huge advantage.
Weinschenk: What is the first step, practically, in addressing the overall issue?
Peterson: I think it starts with aligning where the business is investing. Pragmatically speaking, I don't think it's a one-to-one match. If you spend $37.3 million for database administration, you don't have to spend $37.3 million for database security. You do not have to be that precise. It's prioritization, an ordinal ranking of first, second, third or fourth in spending. The key difference is to get the order right, not necessarily getting the percentage right. The biggest line item in [non-security] spending should match the biggest line item in security.
Weinschenk: How important is it to speak to financial folks in their own language?
Peterson: That is huge, absolutely huge. Not only does security need to align where IT as a whole is investing, but it's very important that IT security communicates its decisions better. That means speaking the language of business instead of Klingon and using business constructs, like dollars and cents and budgets, to make the point. The first thing is information gathering. It doesn't need to be a major exercise in terms of time. It really is a matter of days just to sit with finance people to get those numbers. Start with some categories in mind. I like networking, host, applications and data. Take a little bit of time, a few hours with finance people to find where IT is spending this year and perhaps last year as well. It should really jump out at you and give you a good idea of where to execute next. You can jump right in.
Weinschenk: What is likely to happen when this starts?
Peterson: If a company starts an application security project, for instance, there may be some pushback in the organization. That's understandable in terms of application security, which is a new thing for people to do. But at the same time, the answer is to look at the numbers and ask, "Why wouldn't we invest [for security] in the same places that the business is investing?" A lot of times, it's striking to people when they look at those numbers. It is like someone who is in really good shape in high school and wakes up at age 35 and is 50 pounds overweight and says, "Why did this happen?" You definitely get that reaction very frequently. That's the value of using numbers because it's an objective measurement - just like when you stand on the scale.
Weinschenk: Is the realignment important?
Peterson: I think it is a big deal. I really think IT security is out of control; in many cases, they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control, and you can use the investing habits of the business to improve the situation. Part of that is that it's only relatively recently that you see good tools for application security and database security. It is a market-driven world, and as businesses invest more in technology products and processes, better tools and solutions emerge in that space.
Weinschenk: Once this is fixed - assuming it is - how can IT keep it from happening again?
Peterson: I think IT security needs to own the solution. IT needs to own the process of being in alignment with business. It's just like getting into shape one day at a time and doing the boring stuff like going to the gym and rolling up your sleeves and working out. They should stand shoulder-to-shoulder with the business people and not sit off in a corner of the building complaining about the decisions being made.