Hot off the presses, I am being informed that we have won the security battle and we can all go back to sleep. If anyone out there has the need for a security writer/analyst, let me know. I have my own computer, will travel, but need to be retrained. Confused? While you have been buried in compliance issues, data mining terabytes of logfiles in search of security incidents, updating AntiVirus signatures for the third time this week, it's understandable that you would have missed the news that we are winning the battle against the hackers.
What am I talking about? A couple of news items this month from different sources tell tales of decreasing spending on security as well as decreasing damage due to security incidents. The Computer Security Institute (CSI) and the Gartner Group did not exactly tell me to get a real job, but it is worth it to ponder their latest pronouncements to see if they tell us anything new.
At the Gartner Group's IT Security Summit, Victor Wheatman said, "By 2006, information security spending (including staff salaries and external services) will drop to 4% to 5% of IT budgets, on average, as enterprises improve security management and efficiency." Some of the same "IDS is obsolete" Gartnerisms were repeated at the summit (more on this in Under the Radar). Intriguingly, Wheatman also said, "Through 2009, each new wave of technology will render existing information security measures obsolete, increasing security exposures in new and legacy environments."
CSI made some news of its own with the release of its ninth annual CSI/FBI Computer Crime Survey. The survey showed a significant decrease in the total amount of cybercrime losses from last year, and a marked decrease in the average dollar loss per incident as well. The 2003 numbers showed losses of $141.5M from 494 companies surveyed, compared to $201.8M in 2002, out of 530 companies surveyed.
Although these stories were only released concurrently by coincidence, taken together it makes one wonder if we aren't gaining the upper hand on hackers and if we will also see a decline in the security industry as we know it. If corporations truly spend less on security in succeeding years, that cannot help Chief Security Officers in their ride to the top, nor can it be of benefit to security companies who are forecasting big increases in the security market over the next few years. Are we solving security and making ourselves irrelevant?
My feeling is that each of these news bites is correct within a small scope, but they are misleading and could be prone to misinterpretation. Take the CSI/FBI study. By surveying roughly 500 large institutions with mature security programs, they are not really capturing a lot of the essence of what is happening out there. CERT's statistics show a doubling of incidents from 2002 to 2003. Millions of consumers are suffering from identity theft and Internet-based fraud. While the sophisticated security programs are yielding positive results, it really is much worse out there than the CSI picture paints.
We are in an epoch change and the analogy I like to make is comparing information security to the Wild West of the United States in the late 19th century. The average small town in the west did have periods of lawlessness and had a much higher crime rate than the modern cities of today. They also had some pretty spectacular outlaws. Today we look back at the old west with fascination at the outrageous criminals and daily shootouts, but while our huge metropolitan areas may have less crime per capita, they surely have more in the aggregate. In the same ways, information security is transitioning from its wild west days of spectacular heists impacting a smaller group to an exorbitant increase in incidents impacting a technological infrastructure we grow ever more dependent upon. CSI aside, the losses attributable to information insecurity were certainly at their worst in 2003.
I also believe that Gartner does a reasonable job in their budget forecasts from one point of view, but the IT security budget shrinkage they are predicting is misleading. The federated models of security that are pushing infosec responsibility to business units, developers and otherwise baking security into the processes are being missed by Gartner. Developers tools that impact security and security features that are built into non-security products are examples of things that cannot be tracked by the survey Gartner produced, but are surely significant.
Sorry, the security industry is not going away and you will have to put up with me a little longer. The security industry is not in decline and we have not solved the security problem. It is not even clear that we have gained an upper hand, although I believe some organizations are doing a much better job. Cybercrime is hitting smaller and smaller companies, is growing exponentially in the total number of incidents, and the problem is getting worse. I believe the budgets for security will not necessarily get smaller, but rather will be harder to track as security gets integrated into so many different things, from technology products to business processes. When you try to make sense of these news stories and future ones with similar themes, keep this mind: cybercrime is moving from spectacular incidents to a pervasive insecurity and convergence will hide much overt security spending, but hopefully will also provide a more comprehensive solution than the security silos we are used to.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.