By Liam Tung
February 19, 2008
Businesses waste millions of dollars trying protecting their IT
infrastructure but too many investment decisions are corrupted by poorly
"I believe that industry, by and large, is wasting money on security
today," said Gene Hodges, CEO of security firm, Websense.
Hodges said the need to feel secure has lead to business making poor
investment decisions when it comes to IT security. This has resulted in
money being disproportionately allocated to preventing attacks on IT
"Attacks were, for the '90s and the first half of this decade, focused
on the infrastructure and the bad guys' objective was to take down your
e-mail system, to take down your network connectivity through DDoS
attacks...that's why we bought firewalls and antivirus, IDS and IPS.
"I think spending money on classic infrastructure security gives you a
sense of security, but actually, you know ...it doesn't matter that
much," he said.
Hodges' comments echo those of security guru Bruce Schneier, who
recently warned business to avoid getting "caught up in the feeling of
security, driven by fear".
But this doesn't mean that spending on security is a waste of money,
according to Hodges, who said that overzealous budgets for securing
infrastructure are wasteful because their relationship to a company's
financial performance is more tenuous than say, data leakage.
"So what if some IT guys have to work over the weekend to clean up
laptops. I mean, I'm sorry to say this but you know that's generally the
way a CEO would feel.
"On the other hand, that same CEO, if he thought he was going to be
embarrassed and the stock price depressed through a major data leak, he
would be very happy to make that investment--and I think that's well
beyond the feeling of security," Hodges told ZDNet Asia sister site
Schneier said that another problem faced by administrators is knowing
how much security products are worth.
"If you've ever see one of those ROI models, what they do is measure the
cost of an attack and then multiply it by the probability of an attack
to give you how much money you should spend--this is how all insurance
companies build their business model," Schneier told ZDNet.com.au in an
"Maybe your reputation is worth US$20 million, or maybe it is only worth
US$10 million, or maybe it is worth US$40 million. Suddenly I can
completely perturb your budget--because the numbers are so big and so
small, that minor changes perceptually make huge changes to the product.
So I can make an ROI model say whatever I want," he added.
Subscribe to InfoSec News