This is an interesting article from Network World about how CIOs in Australia and New Zealand perceive security as being easier than reducing costs.

The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector.

CIO Challenges  
Application layer threats 36%
Spyware 16%
Information Security Bottom of the stack

The CIOs top priority for the next 12 months was reducing costs and addressing a lack of resources.

Okay,  here's a RADICAL idea. Let's reduce costs and address a lack of resources while dealing with application layer threats - all at the same time. 

Not kidding. A web application firewall (WAF) can address application layer threats. Because the WAF is performing an ever-vigilant watch over the applications, developers and security professionals can concentrate on other things - freeing up resources and reducing costs.

What's also interesting is that if the WAF is paired with an intelligent application delivery controller, capable of fully inspecting and manipulating requests and responses, you can also address that information security concern with the ability to dynamically adjust security policies when/if necessary to address emerging or newly discovered threats. While the CIO may not be so concerned about information security, I can't imagine that the guys in the trenches would put that concern at the bottom of the stack. They aren't called "Information Security Professionals" for nothing, after all.

Aren't convinced that a WAF is the right way to go? Well, the PCI Security Standards Council believes in WAF capabilities enough to make it one of two options in PCI DSS, specifically requirement 6.6. That's non trivial.

Also consider this analyst report from Stratecast, or this discussion on some of the benefits of centralizing application security.

Imbibing: Mountain Dew