With Jonathon Gossels, president of SystemExperts Corp., a consultancy for network security services.

This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit http://www.itbusinessedge.com.

By Terry Sweeney

Question: Initial IT spending forecasts agreed that budgets would be larger this year. Is that what you see with your enterprise clients, and how big is security’s piece of the pie?

Gossels: In our large enterprise clients, we are seeing a spotty recovery; certain industries like financial services have improved substantially, and budgets reflect that improvement. Other industries, like manufacturing and retail, are still struggling, albeit less than in the depth of the recession. Historically, organizations spend between 15 percent and 20 percent of their IT budget on security. That includes obvious security expenditures like penetration testing, deploying standardized secure builds for common platforms, and incident response, as well as the often-overlooked expenditures on application-level authentication and access control.

Question: Budget sizes aside, what kinds of security technologies or systems do your corporate clients consider most critical to buy and implement?

Gossels: The best way to characterize the security projects we are seeing planned for 2004 is a renewed focus on fundamentals. Successive years of tight budgets have eliminated technology-driven initiatives and have better aligned security spending with business requirements. In fact, in 2004 we did more work directly with specific lines of business within large enterprises (as distinct from the security departments) than ever before. Budget limitations are still preventing many firms from accomplishing even basic required tasks, such as regular perimeter penetration testing, vulnerability assessments of essential Web applications, or maintaining adequate staffing. In others, we’re seeing targeted spending to address critical security problems. In general, we’re seeing more security spending planned for 2004, and it seems to be well focused—Web application vulnerability analysis, infrastructure or design reviews, perimeter penetration testing, intrusion detection, code reviews and antivirus deployment, for example.

Question: How do you respond to clients when they ask where their security dollars are best spent?

Gossels: We help our clients to understand what assets need to be protected, what level of protection they require, and the likely threat scenarios. When security expenditures are well aligned with genuine business requirements, those are well-spent security dollars. It pays to do the basics well. By combining simple best practices, business-aligned policies, and an appropriate (often minimal) level of technology, enterprise clients can achieve an effective level of security at a reasonable cost. In the world of security, there is no substitute for genuine expertise—getting the security of key components 90 percent correct is the same as not securing them at all.