In-depth

Why throwing more money at IT security isn't the answer

Spending more on IT security is a waste of time, argues Davey Winder, unless it's spent in the right way

IT budgets

Part of my working life involves being an IT security journalist, while the other part sees me doing some proper work as a consultant in the same field. I mention this as when I'm wearing the latter hat, I'm often asked "how much will it cost to secure my business?" and, frankly, it's the wrong question.

The right question, in case you wondered, is what do I need to do to secure my business and how can I achieve that in a cost-effective manner? It's not how long is the piece of string you have; it's what you've wrapped that string around and how well the knots are tied that really matters.

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

As a journalist, I am often exposed to vendors and researchers revealing how much is actually spent on security, or (more accurately) how little is spent. Obviously I find such stuff interesting, that comes with the territory in a job which is driven by facts and figures. But I also find it a tad worrying when faced with a 16-page research paper entitled "Cyber Risk and Spend on Security: How Do You Compare?" because I'm concerned this is also part of the wrong question syndrome.

Published by Saugatuck Technology, a company providing research/advisory and strategy consulting services to business, the report has a number of headline takeaways including "spending more on security is now table-stakes for any company concerned about its brand" and "low spending on security is now a sure-fire competitive disadvantage."

One of the key recommendations is that "increasing spending on security is good hygiene. It will keep the enterprise out of the news and the social media screeds. It will eliminate large financial risk that currently exceeds 60 times what is spent on security: almost 14 per cent of revenue. Security is the enabler of digital business going forward."

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

What the message should be shouting loud and clear is that spending wisely on security is good practise, and throwing money at the wrong security measures is the opposite.

Increasing spending is not the answer, getting your security posture right is. Saugatuck says enterprise business leaders should "plan to spend double, triple, and spend more on security" which is just good old-fashioned hogwash in my never humble opinion.

Enterprise business leaders should be investing in people who understand the security issues facing their organisation, and the processes required to mitigate those risks. Simple as.

Now that might cost more than is currently being spent, or it might just be a matter of pointing existing budgets in a different and more effective direction. The truth of the matter is nobody knows unless they actually audit the security situation, properly assess the risk scenario and enable a suitable mitigation strategy.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021