Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Operating Systems Software Windows IT

The Most Secure Companies Spend The Least? 29

iPodBoy writes "The Reg has an interesting article with some choice quotes from Gartner, showing that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure. Gartner also had a choice quote for Microsoft, describing Windows as 'the biggest beta test in history,' and warned warned IT security pros not to expect too much from Microsoft's vaunted Trustworthy Computing initiative."
This discussion has been archived. No new comments can be posted.

The Most Secure Companies Spend The Least?

Comments Filter:
  • by Lord Prox ( 521892 ) on Wednesday September 22, 2004 @06:49AM (#10317348) Homepage
    A milti year million dollar study now confirms that a fool and his money are soon parted.
  • Wow... (Score:1, Funny)

    by Anonymous Coward
    ...so Windows costs a lot and is less secure than Linux (plus/minus IT tech wages).

    Bugger me.
  • Gartner.clue (Score:5, Informative)

    by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Wednesday September 22, 2004 @07:03AM (#10317392) Homepage Journal
    It's amazing the level of clueness (it's a word, I tell you!) they seem to possess over at Gartner. No, really. If you don't read the article, at least read this bit:

    Gartner has identified IT security technologies enterprises will need over the next five years - and other technologies most companies probably won't need. On the enterprise shopping list is host-based intrusion prevention, identity management, 802.1X authentication and gateway spam and AV scanning. Security technologies Gartner reckons most companies can safely do without include personal digital signatures, biometrics, enterprise digital rights management and 500-page security policies.

    Their stab at Microsoft is par for the course, but this is just beautiful. :-)

    • My company has a security policy that explicitly states that our users are not allowed to install non-approved software. Yet at the same time I spend large amounts of time removing spy/ad/malware from their computers. So since they aren't installing it, which would be against our policy, where is it coming from? Maybe our policy isn't long enough. Or perhaps we need to use a larger size font, and more BOLD TYPE.
      • Or take away their right to install software and run activex components on their computers. If you already have a license to lock them down, at least do it right.
        • First, taking away rights to install software can be difficult if you support a user base that needs to have admin rights on their own systems.

          Second, I'm just a desktop support guy. I fix computers all day and get a check at the end of the week. Creating policies is not something that's in my job description. Enforcing policies that cause friction between me and my customer base is something I tend to avoid.

          I don't have a lot of confidence that complaining to management about the situation is going to
          • If they need admin rights on their own desktops, they should either know better, or they are running on crap software that isn't sufficiently granular to open up what they REALLY need without giving them blanket admin rights.

            I'm aware that this is a huge issue on Windows (specifically coming to my attention with regard to Palm hotsyncing software) but I'm hesitant to blame Microsoft because they do have a fair amount of granularity in permissions post Win2K. Rather, I tend to blame lazy software developer
  • It's true (Score:5, Funny)

    by skinfitz ( 564041 ) on Wednesday September 22, 2004 @07:07AM (#10317412) Journal
    You know I know a builder who doesn't use computers at all. You know what? Now I think about it, he's NEVER been haxx0red!
    • I know you are joking, but honestly, computers are used in many situations where they are far from optimal.

      If a ledger, calendar, and address book works for a small business, why should they invest time and money into transitioning over to a computer system?

      Hell, I know plenty of "business" people who use PDAs when a small $.99 notebook would work just as well.

  • Microsoft Security (Score:3, Insightful)

    by eyepeepackets ( 33477 ) on Wednesday September 22, 2004 @07:13AM (#10317436)
    Oxymoron for the Internet Age.

    Note to astroturfers: Marking truths as trolls doesn't change the truth value of the post but doing so does display your attitude towards truth. Mark away foolish ones.
    • This slashdot thing is an open forum right? I suppose that because you agree with an extremist conspiracy opinion that one truth is higher than another makes you the all knowing omniscient? Try to compare facts next time.
  • by 0x0d0a ( 568518 ) on Wednesday September 22, 2004 @07:15AM (#10317451) Journal
    So, consulting firms like Gartner say "Windows is insecure". Big deal. Garter is for hire for PR fodder. You know who to ask if you want the real dirt on what has problems? IT professionals, the sort of people who frequent Slashdot. Garter is trying to approximate what an IT professional would say.

    Do I think Windows has security problems? Sure, both in Microsoft applications and in API at a design level. There is also some missing security functionality, like a sandboxing mechanism. However, I think more of the problem comes from a long tradition of single-user systems and application developers not writing security-conscious code. Who calls out Adobe for, say, opening a local system vulnerability with Photoshop? Nobody. On the other hand, if OSS/Linux or Oracle opens a hole on a *IX box, then people make noise.

    My issue is not that Microsoft is accused of having security problems when they don't have any (though, to be fair, Linux isn't perfect either). No, my problem is that *Gartner* saying that Microsoft is insecure should mean nothing to a typical Slashdotter. A typical Slashdotter should be relying on their own experience, not on Gartner. Gartner is for large company CIOs, suits that don't understand technology and want their business decisions fed to them ground up into a nice paste.
    • "Gartner is for large company CIOs, suits that don't understand technology and want their business decisions fed to them ground up into a nice paste."

      We know.

      But it's quite nice to NOT see Gartner suggesting that Windows is more secure, n'est pas?

      I'm looking forward to the Forbes article, "Making money is for chumps, we show you real happiness".

      Well, I can dream.

  • Makes sense (Score:3, Insightful)

    by jbrayton ( 589141 ) on Wednesday September 22, 2004 @07:23AM (#10317491) Homepage

    As others have said, I wouldn't take Gartner's "information" too seriously. That said, their conclusion makes sense.

    Who is more secure, the Windows user with expensive anti-virus software, or the Linux/Mac/UNIX user that does not have anti-virus software? And who has spent more money on security?

    Who is more secure, the user of a mail server that has expensive virus detection software or the user of a server configured to simply block attachments?

    Money spent on security is typically to duct tape over a security hole. A secure system doesn't need so much duct tape.

    • Security is a lot more complicated than what OS you run and whether or not you have AV software installed.

      From the business perspective, that Linux server could be way more insecure because it's allowing Telnet and non-anonymous FTP connections. With those you're shouting username/password pairs across the aether for anyone to pick up and use, and someone can log in and start stealing corporate data.

      If I were running a company, I'd be far more worried about that than I would be about most Windows viruses
      • Security is a lot more complicated than what OS you run and whether or not you have AV software installed.

        Of course. The two examples I cited were just that -- examples.

        you're acting like IT people have the ability to just redefine the world w/r/t security. If I blocked attatchments and replaced Windows NT with Linux, I'd get hanged for basically shutting down the company. (With very good reason, too - I would have basically shut down the company.)

        Agreed. I didn't mean to imply that the IT peopl

      • > that Linux server could be way more insecure because it's allowing Telnet

        "Could be", perhaps, but it's ludicrous to think
        that anyone would actually be running a telnet
        server in 2004. Your Windows desktop "could be"
        running a telnet server as well. But it's "probably"
        running a spam zombie net instead.

  • by photon317 ( 208409 ) on Wednesday September 22, 2004 @07:26AM (#10317506)

    A company will always be somewhere in the spectrum between two extremes:

    1) They have knowledgeable, competent staff in the areas of computer security, who can get all the practical computer security that's possible with minimal money spent on 3rd party products and consulting.

    2) They don't have anyone who knows what they're doing about security, so they just fall into a cycle of throwing money at the problem, fail to get it right, throw more money, repeat ad nauseum. The money gets spent on consultants and on whatever whizbang buzzword laden security product the PHCIO just heard about in his favorite IT Mag for Dummies.

    Hence the companies that are the most secure tend to be the ones spending the least money on security. I get the feeling that shops which are closer to category 2 are going to read the Gartner summary and decide to cut their IT security budgets in half in hopes that fixes all their problems, instead of investigating the real underlying issues: hiring competent people who can do security.
  • by uncoveror ( 570620 ) on Wednesday September 22, 2004 @07:37AM (#10317553) Homepage
    You can password protect every system in the place, install a firewall and every kind of malware scanner, but people can still be hacked.

    If somebody calls the twinkiehead receptionist claiming to be from I.T., will she answer every question he asks? If an outsider claiming to be one of the big bosses calls the help desk saying he's locked out, and needs his password reset, will they do it for him? When the guys in the server room go to lunch, do they lock the door? If you sweet talk the fat old man dressed as a cop, will he use his own keycard to let you into a secured room?

    People are easy to hack, and hard to secure, but training courses for them are a better investment than new whizbangs.

  • Hmmm... (Score:3, Funny)

    by HoldmyCauls ( 239328 ) on Wednesday September 22, 2004 @07:41AM (#10317579) Journal
    showing that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure

    You're a redundant person, iPodBoy; that's the kind of person you are...
  • To repeat the old mantra; Security is a process, not a product. Implicitly, you can't buy security, but you can hire competent sysadmins.

    Sadly, the suits rarely know a good sysadmin from a mediocre one, and actually believe that SecuriSoft BrickWall 5000 Professional will solve all their problems.

  • You will neverbe able to tell anyone to "Trust" you or your service's. You have to be very wary of anyone who coins terms like "Trustworthy Computing" expecially from a company that has many secrets, a history of lies. Not to mention a dreadful track record on security.

    Trust is something that is earned, you can't just slap the name "Trustworthy" onto something and bye bye bad karma. Im afraid it just isnt that simple. I for one have very little faith that something is "Trustworthy" just because Microsoft s
    • Actually there are guidelines setup, and standards to meet that are part of the process.

      At the code level programs are compiled and checked by two different people. All bug fixes are checked by at least two different people.

      Compiles are constructed in an organized way. Security test checklists are worked through.

      Trustworthy computing means that a company follows these guidelines and then submits to a third party scrutiny such as a standards organization that created their own tests for your prod
  • by bushidocoder ( 550265 ) on Wednesday September 22, 2004 @08:58AM (#10318081) Homepage
    I'd like to know more how the percentage costs were distributed across companies by size and type of company. Also, what is considered a security cost? Are desktop OS upgrades from Win9x to XP lumped in there? I'd love to datamine their raw results and see what the real trends are.

    Smaller companies (500) can oftentimes get by with a single fantastic main admin - As your company grows into the thousands, you probably need multiple main admins at multiple satellite offices, each with his or her own way of doing things. That can effect the results - at the same time, that can mitigate the effects of a less qualified admin.

    Larger companies also oftentimes have non-sensical bureacratic IT policies . Smaller companies generally trust their individual admin's opinions more often regarding the purchase of new hardware/software, whereas larger corporations tend to make those types of decisions in the boardroom. I don't think there's a technical upside to that, but I might be wrong.

    On the flipside, though, I suspect that smaller companies are more apt to hire underexperienced MCSE's as admins because I suspect their salary offerings won't be as high as companies large enough to have been burned multiple times before - but I could be wrong there too - maybe smaller companies have the edge on better people too.

    Do companies that provide technical services (not neccesarily in IT - could be anything like civil engineering) gain anything from having a higher percentage of engineering minds on staff, or does that result in a higher rate of people "fiddling" with their computer in ways that make it more vulnerable.

    What's the distribution of desktop OS' within these groups? Like WinXP or not, everyone has to at least admit that its substantially more secure than the Win9x series.

    What percentage of companies take advantage of the strong group and ipsec policies in Active Directory? Do they make much difference? Has anyone not living in Redmond actually figured IP Sec group policies out yet?

    In any case, I think there's way too many variables to start pointing fingers at Microsoft. Sure, their security policies have bordered on moronic at times, but honestly, to the best of my knowledge, there probably isn't a Linux desktop network large enough to compete with the top 100 largest Windows networks. Its a different ballgame at that scale and while the desktop Linux teams are paying close attention to the failures of Microsoft as they develop their products, we don't know how they'll rate until they're actually out there.
  • As if we had a low enough budget already...now i'm going to get a paycut because it will "make us more secure".. i hope my phbs don't read this tripe.
  • The myth that the most informed companies spend the most on buying info from analyst firms was debunked resoundingly.

    It was found that the most informed companies spent _less_ than the average and that the lowest spending companies were the most informed.

    I sure can come up with the bullshit too eh? :)

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...