A few weeks back before my vacation I had a chance to sit down with Wendy Nather, director of security research at 451 Research, which is part of the 451 Group. Besides being one of my favorite people in the security industry, Wendy is also a widely respected analyst who has done some groundbreaking research. Her newest report and research is on the "real cost of security."
As part of the research for this study, Wendy spoke to literally dozens of CISOs (chief information security officers) at different sized organizations. She asked them what they would choose to deploy, and for what cost, if they were given a green-field situation of starting security from scratch for a thousand-person organization. Wendy then also looked at what the actual costs would be (not an easy thing to do, getting real prices from vendors).
This real cost of security report is a follow on to her "security below the poverty line" research of last year. Wendy showed in that report how much it would actually cost to provide some minimal security to smaller organizations and how it is usually beyond their means from a budget perspective.
Here, in this study, the cost of what the CISOs have chosen as must-haves, along with someone to administer it, can cost as little as $300,000 to $400,000. If you went beyond bare bones, you are probably looking at $500k to $800k. This was based on a 1000-person organization. Doing the math, that means about $500 to $800 spent on security for every person in the organization.
Another metric that came out of the study is that most organizations usually have about 1 security person for every 500 employees. For organizations much below the 500 level, it usually means that there is no dedicated security person (no surprise to those in the security field).
Some of the interesting findings in Wendy's research relate to what security technologies are most important to CISOs. Despite all of the talk about APT and web application attacks, two of the top three must haves were firewalls and AV. We can say that AV is useless and firewalls are no longer needed all we want. The fact is the overwhelming majority of CISOs would not go naked without them. Security awareness training was another highly mentioned need by the CISOs. Surprisingly, web application security was further down the list.
You can hear more about this report from Wendy in our conversation below (if you don't see a streaming player, reload the page). You can also find out more at 451research.com. The report should be available later this month, but, fair warning, it is not free.