Why throwing more money at IT security isn't the answer

Spending more on IT security is a waste of time, argues Davey Winder, unless it's spent in the right way

IT budgets

Part of my working life involves being an IT security journalist, while the other part sees me doing some proper work as a consultant in the same field. I mention this as when I'm wearing the latter hat, I'm often asked "how much will it cost to secure my business?" and, frankly, it's the wrong question.

Advertisement - Article continues below

The right question, in case you wondered, is what do I need to do to secure my business and how can I achieve that in a cost-effective manner? It's not how long is the piece of string you have; it's what you've wrapped that string around and how well the knots are tied that really matters.

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

As a journalist, I am often exposed to vendors and researchers revealing how much is actually spent on security, or (more accurately) how little is spent. Obviously I find such stuff interesting, that comes with the territory in a job which is driven by facts and figures. But I also find it a tad worrying when faced with a 16-page research paper entitled "Cyber Risk and Spend on Security: How Do You Compare?" because I'm concerned this is also part of the wrong question syndrome.

Advertisement - Article continues below
Advertisement - Article continues below

Published by Saugatuck Technology, a company providing research/advisory and strategy consulting services to business, the report has a number of headline takeaways including "spending more on security is now table-stakes for any company concerned about its brand" and "low spending on security is now a sure-fire competitive disadvantage."

One of the key recommendations is that "increasing spending on security is good hygiene. It will keep the enterprise out of the news and the social media screeds. It will eliminate large financial risk that currently exceeds 60 times what is spent on security: almost 14 per cent of revenue. Security is the enabler of digital business going forward."

The only bit of that I actually agree with is that security is an enabler for business; everything else is just smoke being blown out of the nether regions.

What the message should be shouting loud and clear is that spending wisely on security is good practise, and throwing money at the wrong security measures is the opposite.

Advertisement - Article continues below

Increasing spending is not the answer, getting your security posture right is. Saugatuck says enterprise business leaders should "plan to spend double, triple, and spend more on security" which is just good old-fashioned hogwash in my never humble opinion.

Enterprise business leaders should be investing in people who understand the security issues facing their organisation, and the processes required to mitigate those risks. Simple as.

Now that might cost more than is currently being spent, or it might just be a matter of pointing existing budgets in a different and more effective direction. The truth of the matter is nobody knows unless they actually audit the security situation, properly assess the risk scenario and enable a suitable mitigation strategy.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020