Risk
7/11/2007
04:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Are You Spending Your IT Security Dollars Wisely? If You Don't Know, You're Not Alone

How do companies know they're getting their money's worth when they invest in IT security products and services? InformationWeek's upcoming 10th Annual Global Security Survey indicates that a surprising number of companies don't measure the value of their security investments at all. (Hint: it's up from last year).

How do companies know they're getting their money's worth when they invest in IT security products and services? InformationWeek's upcoming 10th Annual Global Security Survey indicates that a surprising number of companies don't measure the value of their security investments at all. (Hint: it's up from last year).It was one of the most surprising results I came across as I studied the data in preparation to write this year's security survey story, which will debut on InformationWeek.com July 14. IT budgets have always been tightly controlled; some companies won't even talk about how much they spend. But security is different. Companies have a longer leash when it comes to spending on security because no one wants to be the next company to make headlines because of a major data breach, either through lost or stolen information.

That's why the Veterans Affairs Department last year signed up SMS Inc. to a $3.7 million contract to install GuardianEdge Technologies and Trust Digital mobile encryption software on all laptops. Is that investment paying off? Hard to say because the VA has since found new ways of losing information about the men and women who've served this country. In January, an IT specialist with the VA lost an external hard drive that may have contained information on more than 1 million vets as well as non-VA physicians, and it's unclear how much of that information was encrypted. What is clear is that not all of that information was encrypted, a condition that pokes holes in the VA's efforts following the landmark theft of a VA laptop in May 2006 containing about 27 million records.

Maybe this is why not every organization measures the value of its security investments. In the 2006 Annual Global Security Survey, about half of the U.S. respondents measured value based on workers spending less time on security-related issues, while 41% used any decline in the amount of network downtime to justify security spending. Forty-percent cited better protection of customer records as an important factor in determining whether their security investments cut the muster. Yet 22% of U.S. survey respondents said they didn't measure the value at all.

Are IT security dollars that easy to come by, or have companies simply written IT security off as an exercise in futility? Be sure to check out the 10th Annual Global Security Survey next week to see how you compare with your peers.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.