Wonderful! Grand! Well done! Except.................

Buy all the 'security technology' in the world - even go so far as to install it (and that's not a given). My goodness, I've even heard of companies so radical as to provide resources to sustain the 'security technology'. But it's still all for naught if we don't have the framework, processes and education to support it.

There are still too many companies and organisations out there in 'check the box' mode. "We should have an IDS? Check." "Oh, we need DR testing? Check." These types of enterprises happily slap in their 'security technologies' without regard to standards or internationally-accepted codes of practice, check the box and merrily go on to the next thing.

The results of this are simple. Without education, standards and a strategic, 'defense-in-depth' approach to security the only difference made will be to the expense column of the budget.

"Nearly half of the survey respondents said they plan to increase spending on security-related technologies this year"

This has been the case as long as I can remember. Its more of a theoretical statement as compared to a practical. In one organisation where passive and active IDS was employed the management deemed it too time intensive to check the logs daily advising "the resource required for this task could be better utilised".

The bottom line - organisations don't understand the level of committment actually required to maintain such systems effectively. I completed my CompTIA certification and found myself in disbelief of just how open systems actually are - wasn't given the funding or resources to actually tackle the issue. CEO advised we would accomodate this in the next budget - oh sorry!, forgot about that we will get it next year - oh sorry, forgot again, we will get it next year.

I work in sales for a security integrator and this is what I see: haphazard spending by IT people who are not security conversant or compliance savvy (as a generalisation).

I definetely do not see this increase in spending on security related products or services.

Maybe spending has been reduced on other IT products and consequently the percieved security spend has gone up.

Most of the companies I've worked for had at best a haphazard to security. Sort of like locking the front door of the building, but leaving the side door wide open in order to not inconvenience the senior management when they came in to get their golf clubs.

Many technological gadgets being called "solutions". They might be solutions, but not to the real problems. Of course, instead of listening to their resident security boffins (I wasn't one, but I knew them well) they would listen to the sales people (who all lie, no exceptions) and to HR (!!wtf?) on what to get and how to apply it. Needless to say, it never really worked right.