• United States



Chief Executive Officer, Security Innovation

More spending, less secure

Apr 16, 20092 mins
Business ContinuityData and Information SecurityIT Leadership

According to the 2009 Verizon Business Data Breach Investigations Report released Wednesday April 15th, more electronic records were breached in 2008 than the previous four years combined, mainly by outsiders targeting financial services and retail firms.

The most disturbing portion of the study, though, is the part that reports that despite widespread concern over desktops, mobile devices, and portable media, 99 percent of all breached records were compromised from servers and applications.

Couple this with three disturbing facts from the recently released Computing Technology Industry Association (CompTIA) study and you’ve got a pathetic mix of mis-focused spending and awareness:

  • The average severity of a breach in 2008 was ranked as 5.6 on a ten-point scale, up from 5.3 in 2007 and 4.8 in 2006.
  • Most organizations are holding steady or increasing their security spending
  • Even though the severity of breaches is on the increase, most organizations continue to rely on traditional tools — such as firewalls and antivirus suites as their primary defense against them.

Being a curmudgeon, I’m naturally caustic… but when I see the same mistakes being made over and over again, I get downright depressed. How long have we, as an industry, been lamenting over the fact that application security is the biggest culprit of security breaches — a veritable Greenfield for attackers both internal and external. Yet, we do little to address the problem.

Last May, yours truly delivered a webcast on the Application Security Maturity (ASM) Model which introduced the results of a 10-year study — the study shows where organizations get stuck, where the best ROI’s are (it’s in people and process and not in tools, btw) and provides the basis of a roadmap forward. I’m speaking on the same topic next week at RSA Con… and I’m bewildered at how little has changed in the past 2 years since I first spoke on the topic.

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.