One of the bigger problems facing folks that have been put in charge of security is amount of money it takes to keep defenses in place on an ongoing basis.
A recent study conducted by Baseline, a sister publication of eWeek, shows that the vast majority of the security dollars being allocated today are going to pay for things like license renewals for products that have already been put in place.
On top of that there is more pressure than ever in these changing economic times to rein in security spending as a percentage of the total IT budget. That's why it can be frustrating when new issues crop up such as the advent of new "recreational peer-to-peer protocols" that people are using to share files with each.
The folks that are having the biggest challenge with this issue are all the people that work in the IT departments at schools. The Recording Industry Association of America has been sending out notices to schools telling them that they may be liable if students use their networks to infringe on copyrights by copying "evaluation" copies of songs and using the school network to distribute them.
Naturally, these creates an opportunity for security vendors such as St. Bernard Software and Astaro that have products that detect any number of peer-to-peer protocols on the network so IT people can take steps to stop this kind of activity.
But the real question is where will security professionals find the budget. Clearly, RIA is creating a legal threat that should motivate schools to allocate budget to deal with this issue, but like most schools that money will have to come out of some other part of the budget. Similarly, corporations can soon expect to be held liable for what employees do on their corporate networks as well.
What all this means is that it is high time for a review of the total security portfolio because a lot of the products that were purchased over the last five years may no longer be necessary, or have become a feature of some other more cost efficient offering. Alas, that kind of review can be pretty painful so a lot times it just doesn't get done because security is a special case. But similar reviews go on all over IT so like it or not the time has arrived to start applying the same level of return on investment analysis on security that we see everywhere else in IT.