Can Open Source Provide The Protein For Security Below The Poverty Line

Security costs too much for many organizations, is open source security the answer?

Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone.  One of them is that security is hard and seems to be getting harder. As a result security is also very expensive.  So expensive that only the largest of organizations who put a high value on securing their assets can afford it.  In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security.  Frankly, even that is not enough given the current state of cybersecurity.  But even assuming that number is adequate, who has 3.5 million to spend today?

The fact is that most organizations live "below the security poverty line".  One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group.  Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene.  She co-authored a report titled "Security Below the Poverty Line".  Wendy's research shows that most organizations don't have anywhere near the resources required to do security right.  

I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face.

I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line.  The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project.  So could open source be the secret weapon in the war on security poverty?  

Wendy and I discuss just this and what her research shows.  You can listen to our 15 minute discussion below.  But let me give you some insight even if you don't listen to the podcast.  The costs of security are not only the hardware and software of the security products.  The human costs of security are equally expensive.  Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford.  So open source in and of itself is not going to be a panacea here.  

There are other potential ways to address this problem. Outsourcing security is one way that can spread the cost of security over time. Buying security a slice at a time instead of the whole pie at once.  But again even security as a service so to speak can be more than some companies will budget for security.  

This is an age old problem that those of us in the security space no well.  Every survey done always indicates that security is in the top two or three priorities for every CIO.  However, when it comes time to pony up the money often times their arms are too short to reach their pockets.

Wendy Nather is a great person to learn from, please take the time to listen in and hear more pearls of wisdom from her in our discussion. Also, here is to a speedy and full recovery to Wendy, who was nice enough to record this with me just a few days before having some medical procedures performed. Good thoughts and prayers to you my friend! The security world will not be the same until you are back up to full speed!

Finally many thanks to The 451 Group for making a copy of Wendy's report available for free from the link in this post, it was previously only available to paying customers of the 451 Group.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022