Buying security products is often a waste of money
Businesses waste millions of dollars trying protecting their IT infrastructure but too many investment decisions are corrupted by poorly applied mathematics.
"I believe that industry, by and large, is wasting money on security today," said Gene Hodges, CEO of security firm, Websense.
Hodges said the need to feel secure has lead to business making poor investment decisions when it comes to IT security. This has resulted in money being disproportionately allocated to preventing attacks on IT infrastructure.
"Attacks were, for the '90s and the first half of this decade, focused on the infrastructure and the bad guys' objective was to take down your e-mail system, to take down your network connectivity through DDoS attacks ... that's why we bought firewalls and antivirus, IDS and IPS.
"I think spending money on classic infrastructure security gives you a sense of security, but actually, you know ... it doesn't matter that much," he said.
Hodges' comments echo those of security guru Bruce Schneier, who recently warned business to avoid getting "caught up in the feeling of security, driven by fear".
But this doesn't mean that spending on security is a waste of money, according to Hodges, who said that overzealous budgets for securing infrastructure are wasteful because their relationship to a company's financial performance is more tenuous than say, data leakage.
"So what if some IT guys have to work over the weekend to clean up laptops. I mean, I'm sorry to say this but you know that's generally the way a CEO would feel.
"On the other hand, that same CEO, if he thought he was going to be embarrassed and the stock price depressed through a major data leak, he would be very happy to make that investment -- and I think that's well beyond the feeling of security," Hodges told ZDNet.com.au.
Schneier said that another problem faced by administrators is knowing how much security products are worth.
"If you've ever see one of those ROI models, what they do is measure the cost of an attack and then multiply it by the probability of an attack to give you how much money you should spend -- this is how all insurance companies build their business model," Schneier told ZDNet.com.au in a video interview.
"Maybe your reputation is worth $20 million, or maybe it is only worth $10 million, or maybe it is worth $40 million. Suddenly I can completely perturb your budget -- because the numbers are so big and so small, that minor changes perceptually make huge changes to the product. So I can make an ROI model say whatever I want," he added.