I'm not sure security is underfunded. I believe the money's there, it's just being misapplied. For example, we're spending huge amounts of money trying to patch up security problems in Windows (just look at how much is spent on anti-virus and filtering software alone, let alone in patching systems and the software to manage and apply those patches in large enterprises). For all that, though, the causes of the problems remain to create a new vulnerability next week. I see sites putting a lot of work into systems to more reliably authenticate the users when they log in, to make it harder for identity thieves to successfully use what they've stolen, but I don't see any work being put into allowing the user to authenticate the site as they log in (which would prevent the most common ways to steal the information the identity thieves need in the first place). I see lots of attention being given to how and why companies that collect personal information should protect it, but precious few people demanding that those companies answer a more basic question: why are they collecting and keeping that information in the first place?

Do we need to spend more money? Or do we need to spend the money in different and more effective ways?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/345/32226#32226