In-Depth

Top Three Security Problems Remain Despite Increased Spending

Companies turn to managed Service providers for help; desktops dominate security budgets as patches average $234 per machine.

• By Mathew Schwartz
• 02/18/2004

Half of respondents see security budgets increasing over the next three years; only eight percent see it decreasing. Also, half of all respondents share the same budgetary top-three: antivirus, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and firewalls. In addition, 40 percent of the Fortune 500 plan to purchase Web services security products.

Yankee also sees more companies opting for outsourcing, and predicts managed security services alone will grow from $1.5 billion in 2002 to $3.7 billion in 2008.

Yet for all the looking forward, the same old problems continue to plague companies—especially vulnerabilities. "One of the most surprising results of the survey is that the cost of patching desktops is astronomical," says Yankee analyst Phebe Waterfield. The average cost: $234 per desktop. For a company with 5,000 desktops, that means over $1 million spent annually just for patching, and for the finance industry in particular the cost is higher.

The survey produced other interesting results. For example, unauthorized servers, intrusions and antivirus, unauthorized senders, and denial of service attacks dominate respondents’ network security concerns. "A big surprise for me was that peer-to-peer and instant messaging rated so low. It turns out that IT managers and network managers have much simpler problems that they need to deal with," says Yankee analyst Eric Ogren.

Beyond vulnerabilities, viruses, and patching, respondents' other big worries were regulatory compliance and wireless technologies.

Regulatory concerns certainly haven’t hurt security budgets. With such regulations as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, and Europe’s Basel II, security has become "a C-level and boardroom imperative," notes analyst Matthew Kovar. While some regulations are industry specific, "the Sarbanes-Oxley Act specifically requires rapid expenditures on technology, processes, and documentation, to ensure clear separation of operations from line-of-business activities," he says. As a result, "to comply with these regulations, organizations are conducting security audits of their internal- and external-facing systems, including partner-network connections."

Ironically, regulations threaten to create a security arms race, since the lack of established benchmarks means regulators are taking an industry-wide sample, then judging good from bad. Of course, no company wants to be the model for what not to do. In the short term, says Kovar, this might work, but it can’t last forever; companies can’t battle forever—they have to establish agreed-upon baselines with regulators.

To better handle the vulnerabilities and viruses plaguing them, Kovar recommends companies outsource anything—including security—that isn’t mission-critical, or at least a core competency, to focus on securing their critical internal information. "It may be counterintuitive to outsource perimeter security protection such as firewalls, IDS, or content inspection; however, service providers can do it cheaper through economies of scale, [and] managed security service providers can keep up with the change in technology, freeing you from that obligation."