Security is IT’s #1 spending priority… but should it be?
There’s been a major shift in IT-related spending. An IDG Research Services survey, conducted on behalf of Datalink, found that IT investment is now driven by business goals, rather than, as in the past, by needs and upgrades. The top IT investment is security; cybersecurity spending is expected to balloon. According to Gartner, $75 billion was spent on cybersecurity in 2015; by 2020, expenditures are expected to top $170 billion.
It may have taken a few years and several high-profile breaches and cyber attacks, but it appears that businesses are finally taking security seriously, and executives and boards of directors are willing to invest in better cybersecurity systems. Yet, as security spending is presented—often as a demand that IT teams link technology investments to business goals such as risk mitigation—is it the best strategy? Should security be a business’s top IT spending priority?
The price tag of peace of mind
Before that question can be answered, it might be good to understand why there has been such a dramatic shift in the way companies are viewing cybersecurity and spending, particularly smaller businesses who, unfortunately, often think they are immune to hackers.
“Businesses have seen the adverse effects security breaches can have on their reputation and their financials,” said Mirek Pijanowski, director with Fireloft. “Businesses have realized that they must learn from other’s mistakes in order to survive, and they are starting to fully understand the risks of major data breach or loss.”
How much a company will spend on cybersecurity, or security off-shoots like disaster recovery and business continuity, is based on different factors such as the level of identified risks or how risk averse business leaders are. “Some organizations may place the importance of integrity and availability higher than confidentiality (i.e. social media), while some may place confidentiality and integrity higher than availability (i.e. financial organizations),” said Pijanowski.
“The cure doesn’t remove the pain”
Security spending should be like any other technical investment and linked to business objectives and goals, but security investments must be made wisely. The problem is that, too often, IT-spending decision makers get caught up in the latest and greatest tools or become hyperfocused on one particular threat area. Security spending needs to be approached in the same way as other budgets: where will it add the most value? Adding security technology and controls ad-hoc is inefficient, Pijanowski pointed out, and can result in significant expenditures with no significant benefits.
Wes Kussmaul, president and CEO of The Authenticity Alliance, compares the approach that many companies take toward security spending with those who spend money on “miracle” weight loss remedies. “They all touch a pain button, the cure doesn’t remove the pain, so they spend more on another miracle product,” he said.Companies shouldn't approach security the way that consumers approach miracle weight loss. Click To Tweet
Kussmaul added that security is rarely done correctly, citing Public Key Infrastructure (PKI) as a prime example. “Unfortunately, PKI never seems to be done right. It needs to start with identity certificates issued using proper enrollment practices. PKI should be based upon identity certificates of measurable reliability, established through proper enrollment practices. Credentials should be owned by the users and usable for personal accounts, so users protect them and most importantly, so they don’t share them. Every significant event on the network should produce a log record that is digitally signed by the user’s PEN (private key) accompanying the identity certificate.”
That, he added, would make everything more manageable, producing real information security to replace the wishful-thinking-fake info security that is produced when companies try to determine the intentions and character of the sender of a stream of bits.
Security spending is too often narrow in its scope and then tries to encompass everything, when, in fact, it is usually the opposite; it needs to look at the big picture—the multitude of end points connecting to the network, better education and training, understanding hacker techniques for starters—and then be examined to see how security needs fit into the enterprise structure. From there, a security spending plan should be devised.
“Knowing what to protect,” said Pijanowski, “is going to give you the most effective use of your security budget.”