Is Infosec seeing "Death by a Thousand Budget Cuts"?

Published: 2011-01-13
Last Updated: 2011-01-13 20:55:25 UTC
by Rob VandenBrink (Version: 1)
7 comment(s)

This diary is a bit different than the tecky ones i usually write, I'm hoping we can have a discussion on what trends folks are seeing in their security budgets and projects for 2011.

I'll go first, I hope that's ok.  I'm seeing IT budgets trending towards modest increases, but with a real difference.  IT budgets all seem to be skewed towards things that have quantifiable, hard returns on investment.  Things like virtualization, storage upgrades and updates to core business applications are the big winners this year.   The exception to this trend seems to be at the plus end of the spectrum.  I've got 10gig network upgrades, trill and fcoe projects left and right.

What I'm not seeing is increases in security budgets.  There seems to be fewer audits and pentests, or in some cases none at all.  Security teams seem to have a big helping of  "more with less" this year.  While you can get a lot done with a good imagination, good skills and free tools, a zero budget and no time allocated is still a big pair of obstacles.  What managers often overlook is the rate of change in this field.  Standing still  in your securuty efforts in most cases means walking backwards in varying degrees of briskness.  I'm seeing lots of folks walking slowly backwards lately.

So, please, use the contact form and let us know what you see coming up for security projects and budgets this year.  Is what I'm seeing matching what's happening in your company, or am I off base completely?

=============== Rob VandenBrink Metafore ===============

Keywords: security budgets
7 comment(s)


We are seeing the same thing and have been seeing this trend for at least a year now.

Our team is small, we have little, if any budget, and we cobble together innovative solutions as best as we can, based on the hard work of others in the community.

Management seems to be all excited about "the cloud," virtualization, and "employee-owned IT."

There is a strong push into buzzword areas and a pronounced lack of interest in security, from what I've seen.
In the medical arena many are increasing security this year. Much of that is due to waiting sooo long for new money. The wait has ended... none in sight, so the consensus is "go ahead and do it then" since it will only get worse. That is what I see, and I do hope it continues. Too much data is easily poached without the proper safeguards in place.
I work for a outsourcing company doing work for a major N.A. energy provider. We are hiring two new FT people but from the sounds of things other shops are getting stretched thin.

The buzz in the press is that IT Security is going to be in big demand in the next few years in particular so its kind of confusing hearing about everyone being work hard on small budgets.
Your entire premise is wrong. Pentests and audits aren't information security. They're audits. Done by auditors.

What a proper information security department does is work with your IT teams to make sure that your virtualization, storage upgrades and updates to core business applications are all done with security as a partner. And you don't need an increase in your security budget to do that. As we replace applications and infrastructure - we take the opportunity to fix past security mistakes and make things better. In addition - new infrastructure and applications are now designed with security in mind.
In the education side, I am seeing a complete lack of care. We have tens of thousands of students across one of the largest cities in Canada, and have already seen DOS layer 2 attacks, and I can't even convince my boss to let me create an IDS infrastructure to detect and source attacks. There is basically no security budget and no one seems to care. I suppose time will show that they should have listened to me. I suppose i should be grateful that we at least use a decent AV.
It's been death by nonexistent budget since 2004; unless you are the NOC for larger government agencies or the military. I observe a behavior of "make sure that checkbox is checked" in the public sector and "why should we care? it doesn't make us any money" in the private. Unless there is a legal or regulatory requirement; no one but security professionals really care about infosec.
I'm sorry Yoshi but you are wrong there. Auditing is Information Security. That is one section of my job where I work and we work closely with developers after scans are done if there are any vulnerabilities to get them fixed. We must know the new vulnerabilities that are out there that affect your systems that you think are the only thing under Information Security because we get hit first. If there is a crack in our wall that allows an attacker to do something to the server that wasn't patched or hardened then there is a problem. Some companies, like the one I work for has a full time staff that audit's their web applications every quarter, which is in the big picture just one part of Information Security.

Diary Archives