Security Spending Still Doesn't Follow Attack And Breach TrendsDatabases may be at risk of the most severe damages from attacks, but the network layer still gobbles up most of the security cash
When it comes to lining up IT security spending to protect the assets most at risk to criminal attacks and exposing organizations to costly breaches, priorities still seem to be out of whack. A new survey out this week shows that while IT teams acknowledge that attacks on core infrastructure elements pose some of the most severe risk to their organizations, they're still spending on average less than a quarter of their IT security budget on core infrastructure elements like databases, applications, and servers, as compared to 67 percent on network assets.
"Organizations can't continue to spend on the wrong risks and secure themselves out of business," said Mary Ann Davidson, chief security officer at Oracle, which sponsored the survey. "When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access."
[Is cross-site request forgery still a concern for your organization? See CSRF Still Armed And Dangerous.]
Conducted among more than 110 global companies across all the major verticals, the survey shows that 52 percent of organizations say the risks damage posed by attacks against databases is most severe, compared with just 34 percent who said the same about attacks against the network. And yet 67 percent of the same organizations reported allocating the most resources to network assets, as compared with just 15 percent that throw the most money at database security.
According to Josh Shaul of database security firm Application Security Inc., the big problem IT security faces is getting business executives on board to really believe their core infrastructure is at risk.
"In many cases, it takes a breach for the risk to become believable, even in the face of penetration test results that clearly show an attacker's ability to get in and gain access to sensitive data," he says. "This disbelief seems to get stronger as the systems get more important -- when it comes to databases, some of the most critical systems out there, business executives will go to amazing lengths to retain their belief that these systems are unbreakable."
While the application layer is increasingly a vector for attackers to either enter organizations or escalate attacks further in the network, it is similarly ignored from a budgetary perspective, according to the survey. Just 15 percent of organizations reported spending the bulk of their security budget on application security. This jibes with what John Maddison, Fortinet's vice president of marketing, sees from most organizations today.
"Application security represents a relatively small piece of the overall security pie," Maddison says. "When customers start to embrace a zero trust model beyond just mobile [or] endpoint devices and include Web, application and database servers, then this spending pattern will be reviewed."
He warns that no matter how organizations reprioritize their security spending ratios, they should be mindful not to do it without cohesiveness in mind. This seems to be a problem for many organizations -- the Oracle survey showed that 40 percent of respondents believed that implementing point solutions created gaps in their security.
"What you cannot do is continue adding distinct security applications and appliances all over the place," Maddison says. "There needs to be a platform to consolidate."
Shaul says that the survey highlights yet again that security organizations have to take a holistic look at their assets to understand how adversaries target infrastructure to develop attacks in order to breach information.
"In many cases, those assets are data. Then organizations should put their biggest security focus on the identified 'at-risk' assets," he says. "That probably means moving budgets from the network perimeter and endpoints to the data center, and implementing a true layered defense where security technologies get more sophisticated and harder to bypass as you get closer to the assets you want to protect."
Shaul also couldn't help getting a dig in at Oracle, highlighting how infrastructure companies themselves may need to undo past years of work of inflated security claims in order to let their customers know their products may be at risk.
"It's interesting to see Oracle commenting on the lack of security spending around databases, when it is Oracle who went out and told the world that their databases are unbreakable," says Shaul, saying those long ago words were exactly what many executives wanted to hear and ones that they've bought into at this point. "When the vendor says the system is secure, it's easy to ignore the facts on the street that show otherwise."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio