In-depth

Why throwing more money at IT security isn't the answer

Spending more on IT security is a waste of time, argues Davey Winder, unless it's spent in the right way

IT budgets

Part of my working life involves being an IT security journalist, while the other part sees me doing some proper work as a consultant in the same field. I mention this as when I'm wearing the latter hat, I'm often asked "how much will it cost to secure my business?" and, frankly, it's the wrong question.

The right question, in case you wondered, is what do I need to do to secure my business and how can I achieve that in a cost-effective manner? It's not how long is the piece of string you have; it's what you've wrapped that string around and how well the knots are tied that really matters.

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

As a journalist, I am often exposed to vendors and researchers revealing how much is actually spent on security, or (more accurately) how little is spent. Obviously I find such stuff interesting, that comes with the territory in a job which is driven by facts and figures. But I also find it a tad worrying when faced with a 16-page research paper entitled "Cyber Risk and Spend on Security: How Do You Compare?" because I'm concerned this is also part of the wrong question syndrome.

Published by Saugatuck Technology, a company providing research/advisory and strategy consulting services to business, the report has a number of headline takeaways including "spending more on security is now table-stakes for any company concerned about its brand" and "low spending on security is now a sure-fire competitive disadvantage."

One of the key recommendations is that "increasing spending on security is good hygiene. It will keep the enterprise out of the news and the social media screeds. It will eliminate large financial risk that currently exceeds 60 times what is spent on security: almost 14 per cent of revenue. Security is the enabler of digital business going forward."

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

What the message should be shouting loud and clear is that spending wisely on security is good practise, and throwing money at the wrong security measures is the opposite.

Increasing spending is not the answer, getting your security posture right is. Saugatuck says enterprise business leaders should "plan to spend double, triple, and spend more on security" which is just good old-fashioned hogwash in my never humble opinion.

Enterprise business leaders should be investing in people who understand the security issues facing their organisation, and the processes required to mitigate those risks. Simple as.

Now that might cost more than is currently being spent, or it might just be a matter of pointing existing budgets in a different and more effective direction. The truth of the matter is nobody knows unless they actually audit the security situation, properly assess the risk scenario and enable a suitable mitigation strategy.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts
Security

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021
What is public key infrastructure (PKI)?
Security

What is public key infrastructure (PKI)?

12 Jan 2021

Most Popular

Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021