Why throwing more money at IT security isn't the answer

Spending more on IT security is a waste of time, argues Davey Winder, unless it's spent in the right way

IT budgets

Part of my working life involves being an IT security journalist, while the other part sees me doing some proper work as a consultant in the same field. I mention this as when I'm wearing the latter hat, I'm often asked "how much will it cost to secure my business?" and, frankly, it's the wrong question.

The right question, in case you wondered, is what do I need to do to secure my business and how can I achieve that in a cost-effective manner? It's not how long is the piece of string you have; it's what you've wrapped that string around and how well the knots are tied that really matters.

As a journalist, I am often exposed to vendors and researchers revealing how much is actually spent on security, or (more accurately) how little is spent. Obviously I find such stuff interesting, that comes with the territory in a job which is driven by facts and figures. But I also find it a tad worrying when faced with a 16-page research paper entitled "Cyber Risk and Spend on Security: How Do You Compare?" because I'm concerned this is also part of the wrong question syndrome.

Published by Saugatuck Technology, a company providing research/advisory and strategy consulting services to business, the report has a number of headline takeaways including "spending more on security is now table-stakes for any company concerned about its brand" and "low spending on security is now a sure-fire competitive disadvantage."

One of the key recommendations is that "increasing spending on security is good hygiene. It will keep the enterprise out of the news and the social media screeds. It will eliminate large financial risk that currently exceeds 60 times what is spent on security: almost 14 per cent of revenue. Security is the enabler of digital business going forward."

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

What the message should be shouting loud and clear is that spending wisely on security is good practise, and throwing money at the wrong security measures is the opposite.

Increasing spending is not the answer, getting your security posture right is. Saugatuck says enterprise business leaders should "plan to spend double, triple, and spend more on security" which is just good old-fashioned hogwash in my never humble opinion.

Enterprise business leaders should be investing in people who understand the security issues facing their organisation, and the processes required to mitigate those risks. Simple as.

Now that might cost more than is currently being spent, or it might just be a matter of pointing existing budgets in a different and more effective direction. The truth of the matter is nobody knows unless they actually audit the security situation, properly assess the risk scenario and enable a suitable mitigation strategy.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Cryptocurrency: Should you invest?

Cryptocurrency: Should you invest?

27 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021