(The below content is compliments of ATC provider, Masergy.)
Data breaches have become an unfortunate reality for every organization. Since 2017, mega-companies like Delta, Sears, Best Buy, Under Armour, and Panera Bread have suffered newsworthy data breaches. These five are just a sliver of the estimated 1,765 data breaches that took place in the U.S. in 2017. While that number is lower than the previous year, the breaches themselves are getting larger, resulting in more records lost.
CIOs and IT professionals certainly know that their organizations are potential targets, so why are breaches still happening at such a high rate? Are their security budgets being squandered? Let’s take a look at current IT security spending to see how and where a better strategy can be applied.
What’s the Current Spending Approach?
Even in this post-Equifax world, enterprises continue to take a reactionary stance towards security vulnerabilities. An organization that has experienced a breach might hire a cybersecurity expert whose main objective is to clean up the mess. In the words of Gartner Research Director Ruggero Contu, “Overall, a large portion of security spending is driven by an organization’s reaction toward security breaches as more high-profile cyber attacks and data breaches affect organizations worldwide.” (Source: Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017.)
A reactionary response is valid in today’s world–after all it’s not a matter of if they get in but when. However, the exact type of reaction and precise timing of the response can be the difference between negligent and responsible.
In order to stay safe, companies need to blend proactive security approaches with reactive approaches that are highly responsive and demonstrate accountability.
That requires having the right infrastructure and staff, covering 24/7 incident detection and rapid response capabilities as well as vulnerability and penetration testing that helps enterprises design meaningful security improvement initiatives. CISOs need to know that their security systems can monitor alert activity, detect vulnerabilities, and immediately react to prioritized threats. But beyond just that, they should also perform deeper risk analysis and make strategic security enhancements that strengthen the overall security posture over time. They need to be thoughtfully proactive and responsibly reactive.
Where’s the Money Going?
So, where are security budgets being spent, and how should enterprises make smarter investments to blend proactive and reactive strategies?
Gartner says security services are the largest slice of the total spending pie. The same Gartner study showed that spending is projected to increase by 8.8 percent to $57.7 billion in 2018.
This jump is fueled by a couple things:
- Skills Shortage: First, there is a skills shortage within the cybersecurity industry. With security talent in high demand, organizations come to rely on partners that offer a comprehensive managed detection and response service offering.
- Growing Threat Landscape: The number of attacks may be declining, but the size and scope of security attacks is growing rapidly. Managed services act as a way to rapidly expand defensive forces without the budget impacts of headcount.
Money is also going toward cybersecurity insurance. Some studies show 28 percent of organizations plan to allocate all or most of their cybersecurity budget to insurance next year. This number jumps to 43 percent at tech companies.
But, this approach seems questionable at best.
Insurance is a reactive tool. It only partially covers the costs, and then only after damage is already done. Depending on the policy an organization purchases, it may not even address business-related losses like downtime, lost customers, or damage to the brand’s reputation. Like all insurance companies, these agencies also require proof that a company has taken adequate measures to protect itself before paying out settlements. Insurance policies should never be considered a security solution. At most, they should be considered a final line of defense.
Furthermore, investments in security services are offsetting the cost of cybersecurity insurance. Premiums can be reduced when enterprises show high levels of security awareness combined with comprehensive monitoring and security improvement. For example, some Masergy customers report insurance rate reductions after demonstrating how their Virtual CISO services manage and oversee their enterprise security program, including regular vulnerability management and penetration testing, 24/7 monitoring, risk analysis, as well as rapid response. This professional service closes the feedback loop using improvement programs to continually tighten or close security gaps.
Another proactive investment is employee training, as IT teams continue to struggle with user education, acceptance, and behavior. Some studies show that only 61 percent of organizations (and fewer in the financial services industry) spend on cybersecurity-awareness training. It is imperative that training be developed and implemented so that employees are aware of not only the risks and possible breach points but how to handle potential threats.
Infrastructure and Equipment
While security services spending is expected to increase by more than eight percent this year, Gartner expects additional growth in infrastructure protection with a 7.15 percent year-on-year rise. Network security equipment spending is also projected to increase 6.29 percent, and consumer security software spending will grow by 2.29 percent. Look for a lift in security systems and software that utilize machine learning and behavior analytics, making reactions faster and more informed.
Of all data breaches, 85 percent occur on systems that had a security patch available, but not implemented for at least six months. Oracle CEO Mark Hurd has frequently noted this statistic in interviews and speeches, and he has a point. The most sound security strategies combine advanced technologies, people, and processes.
Major breaches in 2017, like the Equifax breach, could likely have been avoided with proper patch management. Machine learning systems triage massive amounts of information and simplify complex data correlation to reduce human error and spotlight anomalies in real-time. The result: a speed that shifts the needle from passive to active.
IT security budgets can no longer be solely allocated to reactive approaches. CISOs and IT leaders should invest in educating employees, identifying security gaps, and blending in machine learning technologies and accelerate response rates. Beyond merely monitoring, enterprises should take a more proactive and responsibly reactive stance, preemptively plugging holes and fixing problems the moment a vulnerability is discovered.