There’s an old joke that goes something like this: “I know that 90% of my advertising budget is wasted. I just don’t know which 90%.” Similarly, many companies suspect that some – or all – of their security budget is wasted, but they can’t tell which part. To complicate matters, every year there are new threats and new technologies.
Bob Tarzey, a director and analyst with research company Quocirca, puts it this way: “Nobody’s saying that IT security is not a massive part of what organizations need to invest in. But I suspect any organization could sit down and review its security on an annual basis and work out that it’s paying for a lot of things more than once.”
Tarzey believes that companies may find savings by moving to new technologies – for example, he favors focusing on content and people rather than firewalls, and moving spam and malware detection into the cloud rather than locking down desktop machines. Sometimes, he says, a company will do better to mitigate the risks inherent in a particular process – such as taking customer credit cards by outsourcing it to a third-party specialist – rather than trying to secure it.
Richard Jacobs, CTO of anti-virus vendor Sophos, on the other hand, names network access control systems, all the rage a few years ago, as a wasted investment in many cases.
"People are looking for cheap, easy answers – and rarely get them" |
Richard Jacobs, Sophos |
Whereas many people thought they were at risk from misconfigured, unknown machines that connected to their networks, in fact that risk was exaggerated, he explains. To be sure, limiting network access is a genuine problem for some organizations – banks, in particular, or companies with significant intellectual property. “But the vast majority of organizations need to solve a simpler problem. They need to be clear about which data they really care about, and usually that’s the personal records of employees, customers, or patients.”
The underlying problem, says Jacobs, is that “People are looking for cheap, easy answers – and rarely get them”.
Bugaboos
Particular bugaboos for Peter Wood, CEO of the security testing company First Base Technologies, are intrusion detection systems and intrusion prevention systems, as well as data loss protection systems, which he thinks are “an immature technology”.
In the 21 years he has been in the business of looking at security technologies, he says he has found that IDS and IPS are “typically badly deployed and not really giving any return on investment. It’s not because of something inherently wrong with the technology but there is always something wrong with the implementation.” The PCI regulations have set off an upswing in new installations but, he says, there is little or no planning and never enough people to manage it.
"I suspect any organization could sit down and review its security on an annual basis and work out that it’s paying for a lot of things more than once" |
Bob Tarzey, Quocirca |
Like Jacobs, Wood attributes these wasted purchases to a desire for quick, easy solutions. “Our industry particularly loves silver bullets”, he says. “You would hope that security people would take a bigger picture view and look at the whole security sweep across their business and choose solutions to provide a reasonable return on investment – but despite their intentions to do that they still get swept up into the latest thing just like investing in IT.”
In addition, he says, people get so focused on hardware and software that they overlook holes in their physical security. “Most organizations have spent no time training staff at key parts of the perimeter – they’re not treated as part of the defense.”
Fashion Faux-pas
Here Wood touches on something that critics of government IT projects have often pointed out: that fashions in technology often outweigh common sense.
“RFID was a big craze in the 2000s”, recalls Gus Hosein, a visiting senior fellow at the London School of Economics and senior fellow of Privacy International. He lists other expensive fads: biometrics and card access control systems.
We all, he says, bear the costs: “Yes, governments got excited and bought useless technologies. But industry also helped to fund these product developments with every CEO who got terribly excited about security technologies that had nothing to do with security. Every time you walk by a ‘government-issued’ ID requirement to enter a building, or see the use of biometrics in corporate environments, or background checks on employees, think about how this money could have been better spent on techniques that respond to real threats.”
"Just buying security products is almost invariably a waste of money unless it happens to be a complete answer to a particular technical problem" |
Tony Collings, ECA Group |
The media play an important role here in that rare but widely reported incidents often seem like bigger threats than more mundane things that happen more often but don’t get the coverage – a psychological phenomenon that can be expensive.
Toby Stevens, who sees a lot of companies in his role as director of the Enterprise Privacy Group, cites airport whole-body image scanners as an example: “These are knee-jerk reactions and huge amounts of spending where the risk does not justify it. You get one idiot who intends to blow up his underpants and we’re spending billions on an unproven technology.”
The big reason behind such mistakes, however, goes back to the point we started with: manager’s magic boxes they can believe will solve all their problems. “Any half-decent security expert will tell you that the best thing you can do when you come into an organization that’s a real disaster is to start training the people”, Stevens says. But propose such a process of behavioral and cultural change, and “Management will reject it and give you money to buy boxes”.
Partly, that’s because so many managers have been burned by mishandled change programs, but partly, he says, “Management don’t understand that taking someone out of their day job for an hour for training could achieve a much greater win than buying something”.
Got a Problem?
But even this last point – training people instead of searching for magic boxes – isn’t the key problem, says Tony Collings, managing director of the ECA Group and, until 2007, the head of the security and fraud prevention team for the UK’s National ID Card program.
“Most people who buy security products don’t actually understand what their problem is”, he contends. “Do you understand your own business? Is it a real problem or a management perception of a problem?” He cites, for example, a large UK commercial organization that spent large amounts of money on anti-virus software that auto-updated as often as every two hours – while completely ignoring the amount of information being sent out of the company in the form of email attachments.
"Yes, governments got excited and bought useless technologies. But industry also helped to fund these product developments with every CEO who got terribly excited about security technologies that had nothing to do with security" |
Gus Hosein, Privacy International |
“From a business perspective”, he says, “What is the problem? Do you know where your vulnerabilities and loopholes are? Is management focused on safeguarding their core information? Is it intellectual property – or is it the sales list?”
These are, of course, all security problems. But, like Stevens, he says, “A lot of issues can be solved quite quickly by retraining and reorganizing parts of the organization to put things that need to be secure somewhere out of harm’s way or by even changing the internal system very slightly. Just buying security products is almost invariably a waste of money unless it happens to be a complete answer to a particular technical problem.”
Larger projects pose even greater problems. Many people who write the specifications either get the problem wrong or try to negotiate price cuts so steep that the supplier won’t survive to support the system. Or, in the interest of saving money in the short term, they cut corners such that something that started out as a reasonably good technical fix to a business problem winds up being changed at the last minute so that the system becomes progressively less valuable and more of a hindrance to the business.
But ultimately, he says, very often the source of waste is a simple one: no one is accountable.
For 25 years now, Peter G. Neumann, principal scientist at SRI International Computer Science Laboratory, has been moderating the ACM RISKS Forum, accessible by email or as a Usenet newsgroup. As such, the riskiest and most egregious and unnecessary waste of resources Neumann sees is the computer industry’s inability to learn from its own history. “We keep making the same mistakes over and over and over again”, he says. Take, for example, the 12-hour electrical blackout that took out power all along the Northeast coast in 1965 because an incorrectly set safety relay triggered a cascade of overloaded circuits that all shut down in turn. “Since then there have been 15 major power blackouts”, he says. “And every time they say they’ve changed the algorithm so it will never happen again.” Similarly, in 1980, the internet’s precursor, ARPAnet, collapsed for four hours when a flaw in the algorithm to collect status messages set off a cascade of buffer overflows. Fixing it required all the ARPAnet nodes to be shut down manually. Then there was the 12-hour 1990 AT&T outage, when a few lines of code, intended to update the routing algorithms, had a bug that caused the receiving systems to crash, again propagating endlessly. “It’s all the same problem and each time they’re saying it will never happen again”, Neumann says. “We got rid of buffer overflows in Multics in 1965. It was completely solved. Kids today don’t have a clue. They are not learning the lessons of the past.” |