IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Why throwing more money at IT security isn't the answer

Spending more on IT security is a waste of time, argues Davey Winder, unless it's spent in the right way

IT budgets

Part of my working life involves being an IT security journalist, while the other part sees me doing some proper work as a consultant in the same field. I mention this as when I'm wearing the latter hat, I'm often asked "how much will it cost to secure my business?" and, frankly, it's the wrong question.

The right question, in case you wondered, is what do I need to do to secure my business and how can I achieve that in a cost-effective manner? It's not how long is the piece of string you have; it's what you've wrapped that string around and how well the knots are tied that really matters.

As a journalist, I am often exposed to vendors and researchers revealing how much is actually spent on security, or (more accurately) how little is spent. Obviously I find such stuff interesting, that comes with the territory in a job which is driven by facts and figures. But I also find it a tad worrying when faced with a 16-page research paper entitled "Cyber Risk and Spend on Security: How Do You Compare?" because I'm concerned this is also part of the wrong question syndrome.

Published by Saugatuck Technology, a company providing research/advisory and strategy consulting services to business, the report has a number of headline takeaways including "spending more on security is now table-stakes for any company concerned about its brand" and "low spending on security is now a sure-fire competitive disadvantage."

One of the key recommendations is that "increasing spending on security is good hygiene. It will keep the enterprise out of the news and the social media screeds. It will eliminate large financial risk that currently exceeds 60 times what is spent on security: almost 14 per cent of revenue. Security is the enabler of digital business going forward."

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

What the message should be shouting loud and clear is that spending wisely on security is good practise, and throwing money at the wrong security measures is the opposite.

Increasing spending is not the answer, getting your security posture right is. Saugatuck says enterprise business leaders should "plan to spend double, triple, and spend more on security" which is just good old-fashioned hogwash in my never humble opinion.

Enterprise business leaders should be investing in people who understand the security issues facing their organisation, and the processes required to mitigate those risks. Simple as.

Now that might cost more than is currently being spent, or it might just be a matter of pointing existing budgets in a different and more effective direction. The truth of the matter is nobody knows unless they actually audit the security situation, properly assess the risk scenario and enable a suitable mitigation strategy.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022