At What Price Security?


Nobody wants to wind up on the front page of the Wall Street Journal or the New York Times because of a security breach. Just ask any of the good folks that work at T.J Maxx or Heartland Payment Systems about how much fun a major security breach can really be. But all the legitimate concerns over security also conspire to paralyze us when it comes to rationally thinking about how we allocate our security budgets.

Most IT organizations are loath to revisit their security strategies for a few primary reasons -- the first of which is what they have in place appears to be working because they can see attacks being thwarted. The problem, of course, is that these devices are preventing types of attacks that were once considered sophisticated, but now in the age of blended threats are looked upon as being pretty routine.

Worse yet, studies have consistently shown that huge percentages of our security devices are mis-configured. That means that even though most of them appear to be working, the threats to our security are not as mitigated as we might hope.

Unfortunately, chances are really high that the people who deployed a particular security device are no longer with the company. And the subsequent security administrators are loath to mess with something they were not around to initially install for fear of making things worse than they might already be.
The other half of the security budget story is the sheer number of devices that we have already deployed. In our zeal to create defense in-depth strategies, most IT organizations deployed separate appliances for anti-virus, anti-spam, intrusion prevention, firewall, content filtering, virtual private networks, etc. The end result is a massive sprawl of security appliances at the edge of the network that function as "performance helpers" by offloading specific security tasks from the routers and switches. Unfortunately, not only are all these devices complex to manage, hardly any of them are integrated with each other, so no security alerts are really shared. And attackers have become very adept bypassing these devices by running the seam between them, or just shifting their attacks to an application level where most of these network-level devices are blind.

The end result of all this is a huge amount of money being spent to provide uncertain levels of security using infrastructure that is expensive to build and complex to manage. Worse yet, because the vast majority of our security dollars are being spent to maintain the existing infrastructure, we probably don't have enough money on hand to combat new and emerging security threats. It's roughly equivalent to spending all our money maintaining walls while the enemy spends all their time building airplanes to fly over the walls.

Coupled with the current state of the economy and resulting pressures on the IT budget, the time has come to re-evaluate enterprise security on multiple levels. The first thing that needs to be considered is consolidation. All those appliances on the edge of the network offer no more security than a single integrated device capable of performing all of those functions. Whether you want to relay on a new generation of routers and switches to perform those functions or an integrated firewall appliance is up to each individual organization. The point is that either approach to unified threat management offers sufficient levels of security at a lower cost. Some might argue that an integrated appliance or switch will add more latency to the network, but for most IT organizations the amount of additional latency introduced on the network in nominal.

The second thing that needs to be done is reevaluate the investment in security specialists. These folks are all extremely talented and extremely expensive. Odds are good that a managed security service can provide equivalent amounts of security without your company having to hire full-time employees to manage it. Let the people who build the overly complex security equipment in the first place pay the salaries of the people needed to manage them. All you need to do is send them a subscription fee for the security service, thereby reducing your own capital budget expenses and IT labor costs.

None of this guarantees any level of security. The fact is that we're losing the security war largely due to the complexity of the systems we're trying to protect. But like all things in life, security is about balancing risks against costs. And right now, most IT organizations' security costs are way out of control relative to the amount of security they actually have.

So the question is are we too afraid to take a good hard look at security?