I don't think it's a question of resources, it's a question of priorities. The US government spends tons of money on all sorts of things, but spending that money instead on security would mean they'd have to stop doing some of those other things that we actually pay them to do. The Navy could stop buying warships and spend all the extra money on security, but then they wouldn't have any warships, which is what the Navy is actually for.
This is by no means a government only issue. Multi-billion dollar companies keep getting hacked for basically the same reason. They too have lots of resources, but they are also spending those resources actually doing something. The BEST result you can get from spending on security is...nothing bad happens.
I completely understand the counter-argument that spending on security saves you the costs associated with getting owned, but that's clearly a hard argument to make to people who see all the other ways their money can be spent directly producing the results expected of them. It's the same basic problem IT has always faced ("it costs money, it doesn't MAKE money"), but it's worse with security since you don't even see it for the most part, except maybe as an annoyance.
>The BEST result you can get from spending on security is...nothing bad happens.
That's crap =]. A secret about security compliance (aka defense in depth) is that it actually reduces your technical debt, doesn't increase it. That's the best result in the world, low technical debt!
Right, and also good security solutions should have active defense features that fight breaches as they occur. Most breached organizations don't know they've been breached until months later...
This is by no means a government only issue. Multi-billion dollar companies keep getting hacked for basically the same reason. They too have lots of resources, but they are also spending those resources actually doing something. The BEST result you can get from spending on security is...nothing bad happens.
I completely understand the counter-argument that spending on security saves you the costs associated with getting owned, but that's clearly a hard argument to make to people who see all the other ways their money can be spent directly producing the results expected of them. It's the same basic problem IT has always faced ("it costs money, it doesn't MAKE money"), but it's worse with security since you don't even see it for the most part, except maybe as an annoyance.