Last week, I wrote about the issue of cybersecurity spending. While budgets for cybersecurity are on the rise, that doesn’t mean the money is being spent wisely.
This week, I want to talk a little more about why cybersecurity spending is rising. According to a Ponemon Institute and Identity Finder survey, thanks to the “Year of the Mega Breaches,” companies are taking more of an interest in protecting their networks and data. As eSecurity Planet explained:
The Ponemon report, entitled "2014: A Year of Mega Breaches," states that following the Target breach and other well-publicized breaches last year, 72 percent of respondents said senior management provided them with the tools and personnel to contain and minimize breaches, 69 percent said they were given the tools and personnel to quickly detect breaches, 67 percent said they were provided with the budget necessary to defend the organization from data breaches, 65 percent said they received the tools and personnel to prevent breaches, and 55 percent say they were provided with the tools and personnel to determine the root causes of data breaches.
That’s all well and good, but as Dr. Larry Ponemon, Ph.D. chairman and founder, Ponemon Institute, pointed out in a statement about the survey, throwing money at the problem is only one step of the cybersecurity battle. While it is positive that senior management recognizes that 2014 is a harbinger of things to come – experts expect 2015 to be worse – it also ignores a basic fundamental of security:
Security is not only about more investments in prevention but also about understanding the data itself that is vulnerable.
As Todd Feinman of Identity Finder told me in an email, too many companies are actually following the most basic rule of insanity when it comes to cybersecurity – doing the same thing over and over again but expecting different results:
As this study points out, companies continue to invest [in] solutions that attempt to block intruders, and very few are investing in solutions that will help identify where breachable data is in the first place. Unfortunately, the bad guys are still getting in. So why are companies expanding budgets in perimeter defense and ignoring a solution that could actually remove the data that’s being breached in the first place? Truly protecting consumer data privacy means vastly reducing an organization’s sensitive data footprint. You can’t steal what isn’t there.
It all goes back to the idea of spending wisely. Less could actually end up being more if the cybersecurity budgets are spent with an end goal in mind. What is it that you want to protect? Once you know that, you can create security systems and controls that are better targeted to your company’s specific needs – and it will likely save you in the long run.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba