not surprised at the top sec concerns and top sec spends

Andy has another post I wanted to highlight, which itself echoes a post from Gunnar Peterson. They both cite a survey that shows:
top security purchases:

  • firewalls
  • antivirus
  • authentication
  • anti-malware

top security concerns:

  • mobile computing
  • social networks
  • cloud computing

I’m not surprised by this mismatch. In fact, I’d even go so far as to say this isn’t something that will ever change, nor should we get all steamed up about changing it. In 10 years, we’ll still have bleeding edge, complex items in the biggest concerns list, and the things we’re finally getting around to understanding will be the major parts of our spending.

Now, Gunnar and Andy both have excellent points, specifically about IT teams seeing IT problems and solving them with IT solutions; in fact, I’m positive their points hold merit.

But I think there are other ideas that trump those (I did comment on their blogs about it, and later decided I should just blog here). Those top 3 concerns are bleedingly new such that:

  • we fear new things because we don’t understand them, or don’t understand them because they’re new.
  • they’re too new for us to have solid approaches to handling them.
  • they’re too new for us to know if we should be worried or not! we tend to default to paranoid/worried, which is good!
  • too new to have obvious budget items assigned to them. Can I buy a box or some software that provide “cloud security” or “social media security?”
  • they’re so new the business doesn’t even know how to use them or what they want out of them. Let alone how we can secure them while still meeting or at least not stomping all over business needs. If the business doesn’t even know how to use them yet, I’m not sure security is in any position to guide that usage securely.

It also should be mentioned that these new things are being largely pushed via consumerland and into the business, with IT as a sort of, “Oh yeah,” thought. Firewalls, AV, AM, Auth are all IT responses to typically IT issues. Of course there is a difference there. They’re also very subjective issues, as opposed to very objective items like firewalls, known malicious bits, behaviors, signatures, ports. Business presents very complex issues that are often involving people (which we can’t patch) and that often don’t fit nicely into blanket rules. Even if we turned away from technical solutions and devoted our time into solving these problems, they are still not going to be neatly solved. Likewise, when push comes to shove, can you have and meet goals with firewalls? Can you show improvement? All of this flows from the rather subjective non-technical aspect of those issues. Sort of the difference between a child’s report card and the feedback you get from a parent-teacher conference. If you have a child, which one would you be most inclined to disagree with or not necessarily believe? (The answer is the subjective one!)

It could be said this is the natural progression of security and technology: from shoring up the technical controls to moving up the stack towards behavior and people. Sure, these 3 top concerns can be said to punch through firewalls and network segments, but that’s the nature of those things (social media “punching” through a firewall is far different than me punching through an SSH connection to bridge my home network; social media is akin to the *way* I use my SSH connection after the hold is already punched because it is needed; i.e. social media is the way port 80 is used.)

Basically, all indications point to not being surprised by this dichotomy. And I don’t think this is some further indication that IT/security is doing it wrong, or isn’t aligned properly with business, or has a technical dark-server-room background. I’m not saying we’re doing things right or we’re properly aligned, but the above isn’t a good argument to support the theory of those deficiencies.

Now for a really big jump. I’d liken the current increase in mobile computing to be as big as the introduction of computers into the business and later the PC/internet into business. Now, I wasn’t around when the former happened, nor was I in the industry when the personal computer revolution swept into business, but I would bet that is the closest comparison so far. I may even say the same for social media. These are damned new and they’re big changes beyond just bringing in Macs or new software or some new business process.