Is it really incompatible?
It was interesting to read Gunnar Peterson's rant this week about firewalls getting the number 1 spot in the CSO budgets this week. For those who haven't seen that, here is the core of it:"I had to check the date to make sure that it wasn't 1995 when I read this:
The survey of IT pros and C-level executives from 450 Fortune 1000 companies -- commissioned by FishNet Security -- also found that 45 percent say firewalls are their priority security purchase, followed by antivirus (39 percent), and authentication (31 percent) and anti-malware tools (31 percent).
And what threats are these IT Pros and C-level execs concerned about?
Nearly 70 percent say mobile computing is the biggest threat to security today, closely followed by social networks (68 percent), and cloud computing platforms (35 percent). Around 65 percent rank mobile computing the top threat in the next two years, and 62 percent say cloud computing will be the biggest threat, bumping social networks.
Let's see what do mobile computing, social networking, and cloud computing all have in common? Oh yes, they all bypass the firewall's "controls"!How do you reconcile spending on something (firewalls) that does not address any of your top threats? This dichotomy is infosec's biggest problem. We have plenty of good controls and processes to use, what we don't have is enough talent in infosec to integrate them and put them to use. "I will not disagree with Gunnar that there is a chronic problem of incompatibility between the most common security controls being deployed and major threats/concerns. But I'm also a strong advocate of more careful, data-driven approaches, like the New School guys. And on this case my concern is that Gunnar wants to see a direct cause-effect relation between "purchase priority" and "threats". I believe it's reasonable to expect that, but there are some things to consider that can prevent that from happening.Yes, there should be a connection, but only to the extent of "strategy-related spending". When discussing IT expenses we should remember that budgets are normally split between operations and capital expenses. Depending on how intense is the ongoing infrastructure refresh initiatives you'll see more dollars being spent on stuff like than on things related to the new threats, just because you need to keep things running. If the organization is going through a big physical expansion, for example, it will eventually need to put money on things like networking gear. Would it be wrong just because the current innovation focus (and also the threats) is not on the network infrastructure? I don't think so. Think about this as the "Maslow Pyramid" for IT. You'll spend money on the upper layers only when the lower layers are stable. (I'm purposely ignoring more radical approaches such as the Jericho Forum stuff and cloud-based stuff, as they are not all organizations can afford to quickly break IT paradigms every time there's a new trend out there - yes, those new things can help organizations to move faster and avoid being trapped on the continuous maintenance of the )The fact that there is a disparity between top threats and top expenses might not necessarily be related to lack of understanding, skills or security talent. We can blame security professionals for focusing on infrastructure components only, but it only makes sense to do so when they have enough resources AND the option to allocate them as they want. So, if your budget covers only your operating expenses, how can you even try to introduce radical changes to your security model? Yes, it's probably perpetuating the hamster wheel of pain, but changing the status quo will normally require an initial increase in resources and focus (yes, it's not only about money - sometimes you just don't have time!!) that not all organizations concede to their CSOs.