Security Below the Poverty Line with Wendy Nather of The 451 Group Oct. 17, 2011

from The DevOps.com Podcast· ·

itunes pic Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone. One of them is that security is hard and seems to be getting harder. As a result security is also very expensive. So expensive that only the largest of organizations who put a high value on securing their assets can afford it. In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security. Frankly, even that is not enough given the …



Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone. One of them is that security is hard and seems to be getting harder. As a result security is also very expensive. So expensive that only the largest of organizations who put a high value on securing their assets can afford it. In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security. Frankly, even that is not enough given the current state of cybersecurity. But even assuming that number is adequate, who has 3.5 million to spend today? The fact is that most organizations live "below the security poverty line". One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group. Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene. She wrote a report titled "Security Below the Poverty Line". Wendy's research shows that most organizations don't have anywhere near the resources required to do security right. I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face. I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line. The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project. So could open source be the secret weapon in the war on security poverty? Wendy and I discuss just this and what her research shows. You can listen to our 15 minute discussion below. But let me give you some insight even if you don't listen to the podcast. The costs of security are not only the hardware and software of the security products. The human costs of security are equally expensive. Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford. So open source in and of itself is not going to be a panacea here. You can learn more listening to the podcast or visit my blog on Network World and read the full interview article.