On security spending

Security spending is an interesting thing. I’m fashionated about how companies time after time throw large amounts of dollars in their security buckets, but considers it final when physically implemented. Buy a firewall for a 50k, have a rookie administrating it. Gunnar Peterson puts it right when he says

in many cases, they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000.

You might wonder if companies are interested in results. If so, how do they get them? I would do it by collecting and reviewing metrics. I’ve recently read a book on the subject which I intend to discuss in a future post.


This entry was posted on October 27th, 2007 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.

 
« Common Criteria… and still multiple vulnerabilities
Future firewalls are protocol, application and identity aware »
 
 

One Response to “On security spending”

  1. gsandahl.net » Attack monitoring and detection as suggested by Microsoft
    13. November 2007 at 00:19

    […] and environments. The lack of these kind of security operations are what makes companies fail, not that they don’t have enough security products. The article also features some good hints on analysing Window Event […]

Leave a Reply