Are you spending your security budget wisely?
After a record number of high-profile data breaches and other cybersecurity incidents in 2014, business leaders are giving the green light to increased security spending. A recent study by Piper Jaffray found that the majority of CIOs plan to increase their security budgets by two percent in 2015. They’ve also declared that security spending is this year’s top IT budget priority.
Last summer, a Gartner study discovered that, on average, companies spend approximately $400 per employee annually on security controls, a number that will likely go up in the coming months. With all of the negative publicity that has been generated from the Year of the Breach, small and midsize companies are taking security spending as seriously as large corporations. In fact, a study by Osterman Research and Trustwave found that smaller businesses are spending twice what larger companies spend per person.
More money, more problems?
On the surface, the rise in security budgets looks like a positive step. However, the Trustwave survey revealed the downside: just because the money is there doesn’t mean it is being spent wisely. Too many companies are either purchasing the wrong security tools for their company or they aren’t installing or using the tools after they are purchased, commonly called shelfware.
“The survey responses from IT decision makers puts the blame for the shelfware problem on a lack of time and resources. Among respondents, 35 percent said that IT was too busy to properly implement the software that was purchased, while 33 percent noted that IT didn’t have enough staff,” Michael Heller wrote in a Tech Target article about the Trustwave survey.
Kevin Bong, a manager with Sikich’s security and compliance practice, said the problem is often that company employees are often not adept at deploying basic security functions, which is why the controls and software end up purchased but never used.
The FUD factor
Another reason organizations may fail to take full advantage of their available security features can be tied back to what the industry often refers to as FUD: fear, uncertainty and doubt.
“When an organization is faced with misinformation or a lack of information, poor IT decisions can result,” Bong said. “Some common IT security examples involve exempting servers from automatic patch deployment, configuring anti-virus to disable certain features or skip certain data, or configuring a firewall with a default allow-all outbound traffic policy. These types of poor decisions create security gaps and negate the value of security investments.”
So, the good news is that companies are willing to spend on security tools. The bad news is they can’t do any good if they are sitting on a shelf. One way to get them off the shelf and onto the network and computers is to ensure that the tools are absolutely necessary for your particular business situation. Bong recommended conducting and documenting a risk assessment before beginning to look at controls or talk to solution vendors.
“The risk assessment will help you determine where the most critical gaps exist in your environment, and what specifically a new control would need to accomplish to fill those gaps. Knowing both your level of need for a solution as well as what that solution would need to do for you is a great step toward selecting the right solutions,” he said.
Knowing your industry’s specific legal and regulatory requirements will also lead to the purchase (and use) of the right security controls, said Dominique Singer, principal, security solutions architecture with Hexis Cyber Solutions.
“From there, an Information Security Management System (ISMS) needs to be established to both understand and track risk, and to define and track appropriate controls which should be implemented,” he said. “The ISO 27000 series of standards provide an excellent starting point, a solid foundation from which to build an ISMS that can withstand the scrutiny of various regulatory requirements, but more importantly – provide the right framework for a truly Strategic Information Security Program. By following ISO guidance, an organization can look at the basic building blocks and determine where it’s appropriate to spend the limited security budget.”
You have the tools; don’t forget about the people
Finally, be sure your security budget includes adequate IT staffing to make certain your organization is doing fundamental IT security best practices well. When IT staff is stretched too thin, even the most basic security controls, like password enforcement and patching, are often the first activities that are skipped, since their absence would not typically have a noticeable impact until a security breach actually occurred.
In many breaches, the “weak link” that allowed the breach to occur wasn’t necessarily related to a gap in the IT system, but rather to a human that was manipulated through a phishing or other social engineering attack, Bong advised. When considering security investments, don’t just think about what new products you may need; also consider approaches you can take to improve employee security awareness. It is that all-round assessment that allows for the best use of the security controls, and, in turn, gets the best bang for the security bucks.