Buying security products is often a waste of money

Buying security products is often a waste of money
Buying security products is often a waste of money,39044215,62037937,00.htm 

By Liam Tung
ZDNet Australia
February 19, 2008

Businesses waste millions of dollars trying protecting their IT 
infrastructure but too many investment decisions are corrupted by poorly 
applied mathematics.

"I believe that industry, by and large, is wasting money on security 
today," said Gene Hodges, CEO of security firm, Websense.

Hodges said the need to feel secure has lead to business making poor 
investment decisions when it comes to IT security. This has resulted in 
money being disproportionately allocated to preventing attacks on IT 

"Attacks were, for the '90s and the first half of this decade, focused 
on the infrastructure and the bad guys' objective was to take down your 
e-mail system, to take down your network connectivity through DDoS 
attacks...that's why we bought firewalls and antivirus, IDS and IPS.

"I think spending money on classic infrastructure security gives you a 
sense of security, but actually, you know doesn't matter that 
much," he said.

Hodges' comments echo those of security guru Bruce Schneier, who 
recently warned business to avoid getting "caught up in the feeling of 
security, driven by fear".

But this doesn't mean that spending on security is a waste of money, 
according to Hodges, who said that overzealous budgets for securing 
infrastructure are wasteful because their relationship to a company's 
financial performance is more tenuous than say, data leakage.

"So what if some IT guys have to work over the weekend to clean up 
laptops. I mean, I'm sorry to say this but you know that's generally the 
way a CEO would feel.

"On the other hand, that same CEO, if he thought he was going to be 
embarrassed and the stock price depressed through a major data leak, he 
would be very happy to make that investment--and I think that's well 
beyond the feeling of security," Hodges told ZDNet Asia sister site

Schneier said that another problem faced by administrators is knowing 
how much security products are worth.

"If you've ever see one of those ROI models, what they do is measure the 
cost of an attack and then multiply it by the probability of an attack 
to give you how much money you should spend--this is how all insurance 
companies build their business model," Schneier told in an 

"Maybe your reputation is worth US$20 million, or maybe it is only worth 
US$10 million, or maybe it is worth US$40 million. Suddenly I can 
completely perturb your budget--because the numbers are so big and so 
small, that minor changes perceptually make huge changes to the product. 
So I can make an ROI model say whatever I want," he added.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods