Here's an understatement: security has been pretty front and center lately. When was the last time the "S" word hasn't been somewhere on the cover of at least one of the weekly IT magazines?

All this focus on security may have left some sys admins feeling a tad like Greg Fokker in the movie "Meet the Parents." For those who haven't seen it, here's the plot. Greg is in love with Pam, and he wants to marry her. However Greg has this little obstacle to overcome - Pam's security-obsessed Dad, played by Robert DeNiro. Greg and Dad don't exactly hit it off because they have very different ideas of what Pam should get, of what will make her happy. Analogy: Pam is your network; you, the sys admin, are Greg, and Dad is the person whose every project has been funded over the past couple of years and who seems to yield veto power over all other projects. Dad is your Information Security Administrator.

Living with Dad hasn't always been easy. To be fair though, there is reason to be paranoid. Security breaches cost a lot of money - lost productivity, lost information, lost sales - and so IT budget priorities over the past few years have reflected the importance of stemming these losses.

However, indications are that security's long reign over the IT budget may have seen its apex come and go. According to recent Forrester Research studies (2005 Enterprise IT Outlook: Business Technographics North America, and North American IT Spending in 2005), applications - rolling out new ones and updating existing ones - will take more out of U.S. IT budgets than will security in 2005. Furthermore the latest CIO Magazine Tech Poll corroborates the Forrester findings, with 85% of respondents saying they have an application backlog, and 60% of these saying the backlog is significant.

The diminishing budgetary emphasis on security is not solely a U.S. phenomenon, either. According to another Forrester study (European Enterprises' 2005 IT Priorities) this year's top priority over there is the consolidation of existing IT assets through things like automation and better management tools.

What is behind this? Why do companies seem to be demoting security? In researching this story, it became apparent that in order to understand this trend more fully, one must look at the changing role of security in two primary organization types:

1. Large and/or exposed organizations
2. Small to medium-sized businesses

Large and/or Exposed Companies
CIOs and IT executives are changing the way they look at security. According to security expert and CEO of Refense Technologies Fabian Oliva, the change in this segment has to do with the distribution of security technologies throughout the IT infrastructure. "In the past, even as recently as a few years ago, security was seen as a separate category, whereas now it is integrated into more technologies. Take firewalls, for example. Once firewall technology was considered a part of the tough perimeter defense. Now, I see very large IT organizations distributing their firewalls onto every network end-point - be they Linux servers, Windows servers, and right down to every workstation and desktop."

John Crossan, systems administrator at Valley Presbyterian Hospital, says, "Here, it's not so much about making the network secure as it is about keeping the network secure. Because threats evolve and new threats emerge, any information security posture is only as good as the people who implement it." The indications are that many companies will be well served by an ongoing effort carried on through a dedicated security team.

The writing is on the wall; dedicated security personnel will stay on in the large/exposed organizations, but their specific focus will evolve over time. "For example," Fabian continues, "in 2000 and 2001, the task of patching sat squarely with security administrators in large IT shops. Today, patch management responsibility lies mostly with systems administrators - it has been handed off. The same is true of managing corporate antivirus technology - a few years ago, when it was a new technology that few people understood, it was handled by the security team, and now it is managed as part of ongoing systems administration - it's a cycle." What emerges from these discussions is a view that security follows a common life-cycle pattern - nothing new there. What we've attempted to add in our Security Technology Digestion Process is the people perspective - that is, adding the "who" component to the "what" (see Figure 1).

And to answer the question of which technologies occupy security teams in large shops today: "Intrusion prevention is one, and another is what is often called Security Information Management, or channeling all of the different sources of security information, such as firewall logs, server logs, and intrusion logs, into one data stream that can then be analyzed and acted upon."

If all of this security activity in large organizations has you asking, "How exactly does this equate to an overall demotion of security in the IT budget rankings?" - the answer may lie in the SMB segment.

The Small and Medium-Sized Business Market
In their report entitled "U.S. IT Spending: Enterprise Versus SMB," Forrester Research uncovers that spending by U.S. small and medium-sized businesses accounted for 44% of all U.S. IT spending in 2004. Combine this with studies from 2003 and 2004 that indicated those were the "hot" years for security spending in the SMB segment (see the References section), and you get the makings of an interesting conclusion: even if overall security spending grows by say 5% per year, and even while the large/exposed segment keeps its security spending steady, if 44% of the market (SMBs) spends like crazy on security in 2003 and 2004, and then starts to turn off the security spending spigot in 2005, you get the overall drop in security priority. This is depicted in Figure 2, where the year 2000 is indexed to 100, an overall annual security spending growth rate of 5% is applied, and large/exposed segment spending is held constant while SMB security spending fluctuates.

Claudio Martinez, IT director for Morrell, a leading wine distributor in New York City with just under 200 employees, sums it up by saying, "Getting the right security technology and process into our network is a lot like building a house - the big cost is up front. That's when you need to hire the most specialized and expensive people, like architects, and that's when you incur the greatest capital expense. Once the house is built, you are in maintenance mode, and the capital costs decrease. That's what we're seeing with our budget and I think that's what is behind the spending trends." Martinez's comments support the theory that SMB security spending tends to be cyclic - build the security house, and then maintain it. This spending pattern is likely motivated in part by the IT personnel constraints that most SMBs are under. Unlike the enterprise segment with their full-time dedicated specialists, SMB IT shops tend to be composed of generalists. As such, their ability to consume a constant stream of new security technology is limited. This tends to flatten their Security Technology Digestion Process, making it more linear than that of IT shops in large organizations (see Figure 3).

Conclusion
So what are some take-aways for IT professionals of the shifting security landscape? Again, this depends on the type of organization in which one works. In large and/or exposed companies, one key take away seems to be that, rather than competing for budget dollars, systems and security administrators increasingly need to cooperate to ensure that both of their project requirements are met.

A conclusion that cuts across both enterprise and SMB segments seems to be that systems administrators who haven't already done so should consider adding security skills to their kit bag. John Golden, vice president of products and programs with technology training giant New Horizons, put it this way: "Traditionally, security was looked at from a technology and a product perspective. This is changing. Today, we see security pervading the entire organization. End users need to be security aware, executives need to be security aware, and all IT professionals need to be security competent." Need more proof? In a recent Monster.com keyword search for "systems administrator," over 50% of the positions had a security requirement in the profile.

References