Small thinking in security spending

I know I will be criticized for making these statements because I am employed by a vendor. But here goes anyway.

I know I will be criticized for making these statements because I am employed by a vendor. But here goes anyway. If you do not agree with me go ahead and comment below. Unless you are linking to a site that sells Hoodia I will approve your comment. (What is hoodia anyway? I am sure I just increased the hits to my blog for including that word but I have never ever clicked on an ad for hoodia so I have no idea what it is.)

I fully understand the frustration upper management feels with the constant bleating from IT about needing more budget for security. Here they are trying to cut costs across the board and the security guys keep putting their trump card, risk, on the table. Analysts talk to upper management and start to regurgitate that frustration with pithy statements about not paying for new technology, consolidating vendors, complaining to Microsoft, etc.

But my view is different. Sure a lot of money has been spent on security. And sure you could have avoided spending a lot of that money if you had started with a focus on security from day one. But…

The security threat is increasing dammit. There are more bad guys, they are becoming well funded from continuing operations, and they are casting their nets wider. They are starting to turn their gun sites on you. To expect to not spend more is blind.

Let’s take DDOS as an example. Did you invest heavily in DDOS defenses in 1999 or 2000? No, of course not. DDOS was a game played by hackers. If for some reason they targeted your website you could say oh well, big deal. No loss, it was just brochure ware anyway. In the mean time you saved $100,000 in fancy network boxes.

Roll forward to 2005. Two things have changed. First now your entire business depends on the internet. You actually earn revenue from your exposed web services. Second, there are now cyber extortionists who have been making millions by threatening DDOS against popular ecommerce sites. Once they figure out you depend on your website they are going to target you. You will either go down or pay up and then you are going to invest in DDOS defense.

So the threat has changed and you had better be spending more to counter it.