Amrit asks, “Is the cure costlier than the disease?” regarding desktop security agents. His story starts out familiarly enough:

When I was still an analyst I was part of the mobile workforce, coming into the office maybe once or twice a year. The company owned laptop I was provided ran 4 different security agents, plus several other agents for various systems management functions (asset, configuration, etc) and remote access. Since the majority of the time the company had no ability to manage these mobile systems they would enforce some fairly draconian security policies, such as locking down aspects of the OS, disallowing certain protocols and applications to traverse the network VPN, as well as configuring the various scan-based security technologies to scan the system on a recurring basis (OK so maybe these are all reasonable and I felt they were draconian because I suffer from a Nietzsche “super-employee” complex and believe myself to be above the normal security policies of other employees - coincidentally I stopped using the corporate supplied laptop and switched to a Mac) .

Here is the kicker, my machine suffered from significant performance problems. Not only did it now take a good 5+ minutes to restart, it was unusable during a scan - which meant I was unable to work several hours a week

This is the story of the life of the average “enterprise” worker. In a past life, we were effectively told, “you can’t add any more agents unless you take one of the existing ones away.” Today, I “only” suffer from two or three different security-related agents on my laptop, which is especially ironic given that I do much of my work inside a virtual machine running Ubuntu Linux.

Getting back to Amrit, though, he’s kind enough to provide a great Back-of-the-Envelope (BOTE) analysis of the costs of providing desktop “security” for a theoretical 5,000 person company.

How’s it stack up, and to what? Amrit uses the same data set I used for my DLP and Full Disk Encryption BOTE analysis, the ISF’s Annual Survey, which told him

“The Computer Security Institute conducted a survey of 538 computer security practitioners in corporations, government agencies, financial institutions, medical institutions, and universities in the United States. Their results revealed that 85 percent of respondents had detected computer security breaches within a twelve-month period. The 35 percent who listed a financial impact reported $377,828,700 in financial losses. Of these, many cited their Internet connection as the point of attack for hackers.”

I’m not going to give you the spoiler–you can go read it yourself–other than to say I wholeheartedly agree with his assumptions, his methodology, and his conclusion.