In the world where security breach is becoming part of headlines, there is a persistent and continuous stream of malware attacks, millions of records are hacked every year which costs the government and commercial businesses billions of dollars. Business partners, customers, and shareholders demand the Cybersecurity assurance that organization cannot provide. Security spend is increasing.
Gartner forecasts worldwide enterprise security spending to total $96.3 billion in 2018, an increase of 8% from 2017. Organizations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution of a digital business strategy.
Trends in Security Expenditure
In many organizations, areas such as physical security, business continuity, disaster recovery and human security are separate from the information security budget. Those departments have security and security spending embedded in their projects.
“Overall, a large portion of security spending is driven by an organization’s reaction toward security breaches as more high profile cyber attacks and data breaches affect organizations worldwide,” said Ruggero Contu, research director at Gartner.
Security spending is majorly divided into two buckets :
- Operational Spending: The top part of the operational budget goes to :
- Protection and prevention
- Detection and response and,
- Remaining of course utilized for compliance requirement which merely meets the requirements.
- Technology Spending: Top three technologies for which organizations are spending money are :
- Identity Access Management and Authentication
- Advanced malware protection and,
- Endpoint security.
- Application security and security intelligence take back seat when it comes to compromise on the budget.
Worldwide Security Spending by Segment, 2016-2018 (Millions of Current Dollars)
|Identity Access Management||3,911||4,279||4,695|
|Network Security Equipment||9,789||10,934||11,669|
|Consumer Security Software||4,573||4,637||4,746|
Source: Gartner (December 2017)
Does More Spending Assure More Protection?
The effectiveness of spending is measured using ROI (Return On Investment), in case of security the traditional ROI calculation does not work. Here the CISO, who is responsible for justifying security budgets needs to be creative. Identifying the business-critical data, the risk associated with this data and protection required to mitigate the risk is one of the best ways to represent the spending.
We have seen in past few years’ exponential growth in cyber-attacks and increase in security budgets. Is this increased in security spending is reducing the attacks?
Money not spent wisely will never help to improve security posture. Purchasing wrong tools, not implementing correctly, not configuring and managing existing tools effectively is waste of security spending.
Security is not only about implementing tools and technologies or complying with the regulatory requirements but it is understanding business needs, identifying security risks and managing these risks by creating and implementing policies with the help of technologies and compensating limits of technology by best practices and processes.
Alternatively, just by assessment at three layers of security namely policies, technologies, and processes can provide you a plan to further improve the security posture.
Best Practices for Security Expenditure
Before even start playing with the numbers, consider following points:
- Identify Crown Jewels: First and most important step is , identify the data, applications that are most critical to the business, label the assets which are running these applications, processing storing the data. For example, you are manufacturing company than your crown jewels will be your engineering designs and supply chain data.
Identifying the crown jewels for your organization will help to understand where the security efforts needs to be focused and how to prioritize the requirements
- Identify business risks – There are no defined criteria for identifying and defining risks, this is where CISO’s understanding of the business and the expertise in security domain will help. While defining risk, CISO should make sure to include financial losses due to breach, competitive advantage, an organization’s reputation plus compliance requirements.
- Perform the effectiveness assessment – Before adding new technologies or changing security environment, perform the effectiveness assessment for the existing tools, technologies and processes. This will provide CISO the insights of improvement areas without spending much of security budget. Once the areas of improvements are identified and the gap between required controls and existing improved controls is visualized, identify the areas of spending.
- Cover all aspects of Security – Security budget covers lots of things which may not be coming under direct control of CISO and that is where CISO need to be vigilant about taking into considerations of all aspects of security , this includes the regulatory complaince audit expenditure , operational cost for the outsourced security areas, cost of renewals of the maintenance contracts and licenses , back-up and recovery of security related data (log data , configuration data , etc.), security awareness trainings , premium for security insurance (if organization has purchased it). In some cases, cost of the physical security like access controls may also need to be included in security spending. It is helpful to make a list and get the data from the previous years. Be comprehensive that will help to avoid the last minute security budget surprises and allow you enough room to prioritize expenditure.
- Perform cost-benefit analysis – Due to the digitization of the organization security has become the business enabler to boost the revenue of the business and hence security is no more expense but it should be considered as an investment. Security can help to increase the customer loyalty, get the new products faster to the market and win over the competition, make a business complaint to the regulatory requirements either specific to your industry like PCI-DSS, HIPPA or the other mandatory requirements like GDPR and Chinese data protection law.
Is the adding new state of the art technologies, pouring more money into the security infrastructure and services is the only answer to improve the security posture of the organization? The answer is NO, simply by managing security hygiene and risk related issues effectively can improve security posture significantly. Creating, monitoring and managing security baseline, hardening of systems, threat-centric vulnerability management, and backup-restoration are some of the areas needs more attention.
Fortunately, advances in technology are driving costs down, and innovative products are available that provide end-to-end solutions without needing large amounts of in-house resource.