Is network spending now really nothing more than security spending? Obviously not in a total-spending sense, but probably in a capex-growth sense. Of 354 enterprises who commented to me on their 2025 network budgets, 287 said that security capex would grow at an average of 6%, where overall network spending was expected to grow by only 4%. But that doesn’t mean that enterprises are happy with network security technology; of the 287, only 44 said they believed they were getting value proportional to what they spent on security. What does this all mean?
Let’s start with the question of “why is security value questioned?” If the 243 who questioned the value of their proposed 2025 security spend increase, 183 said the top reason was that vendors were overcharging, and the remaining 60 that security threats were increasing. Thus, three times the number of enterprises believed they were being overcharged for their security gains, versus those who thought that threats were overwhelming products.
This issue, then, goes back to something I noted in a blog in January 2024, (when “211 said that they believed they overspent on security”) and again in a blog in October, “CIOs tell me they believe that security is starting to look like a pit they’re expected to toss money into, and that whatever they spend is never enough to satisfy vendors.” A year ago I summarized the threat issues enterprises cited. What I’m hearing is that somehow all the security changes don’t keep up, and that as the 2023 blog suggested, we need a change in how we think about security.
So why haven’t we gotten it? Here, I think, enterprises are rightfully blaming vendors, who (not surprisingly) tend to think first about their own revenue. If you add a layer to current offerings to address new risks, you can charge for it. If you propose a radical change, you open your accounts to new security offerings from others. You can see how this turns out.
Enterprises do have an idea of what the basis for network security should be; in 2023 65% said that the network should detect and block all unauthorized access to applications, and this increased to 82% in 2024. But if you go to those who ask for the capability and explain that they’d have to set and maintain “authorized” access policies themselves, and that the strategy would miss security problems created by infecting authorized users, they start to question their own thinking. I don’t have solid data on this, but it appears that if these two points are considered, the block-the-unauthorized strategy loses more than half its support.
I got 2024 security views from 72 sources that I believe are highly qualified. This group identified what they say are very separate risk areas that likely demand at least some individual security tool attention. Let’s look at them.
The first one was the risk of the hijacked or infected client. Most security tools can really only authenticate users, and so they’re bypassed if a user can be impersonated or contaminated. The problem here is that you either have to look at the human user or the client device user, and both of these are difficult to pin down for identification purposes. Most companies don’t use biometrics for user identification, and absent that you’re back to user ID and password, which many write down or share. Users often access their applications from home or on the road, so there’s no reliable 1:1 relationship between person and device, and no easy way to ensure that users who get a new device won’t find themselves cut off.
The second risk was that of accidental API exposure. One of the new challenges of security is created by componentization of applications, which requires network connections to “internal” APIs. If these APIs are exposed beyond the intended connectivity, they can allow a hacker to bypass traditional access-level security. Two thirds of enterprises admit that they aren’t sure exactly what internal APIs might be addressable on their networks, or even from the Internet, and almost the same number admit to having no plan for using address space management to control accessibility.
The third risk was platform software vulnerabilities and exploits. Here, “platform software” means the software that’s used to sustain the operating environment of applications, including operating systems, middleware, management tools, and even security tools. Hacker gangs interested in getting to the largest possible number of targets are likely to look for these, and it’s very difficult to identify an attack on a platform tool until the exploit becomes known. Then you have to worry about how to remedy the problem for all the platform users.
What magical tool fixes all these things? The expert enterprises agree that none do. What’s needed? Of the 72 sources, 61 said the same thing; more attention to security practices than to security tools. According to this sub-group, the big problem with security over-spend is that management often sees tools as an alternative to proper staffing, and many security vendors will make this point in a sales pitch. The problem is that it doesn’t work.
This group also points out that the problem with the network permitting only authorized connections is also one of human effort and resources. Of 11 who say that they actually enforce connection security, 100% say it requires “a lot” of effort to keep the authorized list maintained and to update how authorized users are recognized as roles and devices change. It’s worth it, though, because this group of 11 reports less than a quarter the number of security issues per enterprise as the full 354 enterprises who offered security comments. And, while this group of 11 said they were going to increase incremental security personnel costs by 3%, the full 354 postulated no 2025 staffing cost increase for security beyond the enterprise-wide expected payroll increases.
A final interesting point was that among this group of 72, 18 said that they didn’t need any specialized security tools or products at all to meet their companies’ goals. Tuning development and deployment practices alone were enough. For this group, virus scanning and firewalls were sufficient. I think that’s likely due to a specialized situation at these companies, but I also think that it’s an indication that we really do need either a new approach to security or a shift of focus from layering tools to improving security practices overall.
