Will 2018 see an uptick in security spending? Jack Miller, chief information security officer at SlashNext, thinks so. “Security teams need to continually advocate for upper management to separate security spending from standard IT budgets,” said Miller. “IT spending is a cost of doing business, but security systems provide the last best defense against the loss of a company’s data, its brand reputation, and related customer confidence. Just like you don’t determine how much auto liability insurance you should have based on the maintenance costs of your car, it makes no sense to base your security budget on your overall IT spend. Just as with your auto liability insurance, your security spend needs to be based on your overall risk profile.”
Most experts agree that more organizations will increase their security budget in 2018 (although that agreement isn’t unanimous). Here’s what they’ll be spending that money on – and the reasons for some skepticism about increasing budgets.
The Need to Subcontract Security Services
Many SMBs know they need to deploy better security systems, but they can’t afford to hire a full-time security professional inhouse, or the IT pro who handles security is overloaded and needs help. This is why Lindsey Havens, senior marketing manager with PhishLabs, believes many smaller companies will move to either sub-contract or move toward cloud services for their security solutions, a move that will require extra funds.
Security Analytics and Machine Learning
Companies are gathering increasing amounts of security events by the nature of the expanding infrastructure, according to Thomas Fischer, global security advocate with Digital Guardian. The introduction of new tools and the constant growth of threats makes it more difficult to process and detect suspicious activity. That’s why we’ll see an increase in money spent on cloud-based analytics services in 2018. These services can improve the processing of the events using aggregated threat intelligence, and leverage machine learning to identify abnormal and suspicious activity.
We Must Do a Better Job at Protecting Digital Assets
In the wake of massive data breaches over the past few years, which have caused executive team shake-ups and material hits to bottom lines, companies are investing more in protecting their digital assets, according to Harry Sverdlove, former CTO and head of security for Carbon Black and CTO of Edgewise Networks. Areas where Sverdlove thinks we’ll see increased spending include: identify access management (how do I ensure only authorized users have access?), network security and segmentation (how do I isolate and protect my sensitive data?), and compliance (how do I ensure compliance with required regulations for my industry?).
Need for Anti-Fraud Tools
"The spending priority on anti-fraud controls for organizations as they go into 2018 will be an expansion of tools they already have — keeping those tools updated, getting more sophisticated tools,” said John Gunn, CMO with VASCO Data Security. “And using tools that put less burden on their users, that are frictionless, seamless, transparent - tools that allow institutions to serve more customers with more capabilities, and without taking on more risk. Two of these solutions are risk analysis engines, which are moving to more advanced machine learning and ultimately moving to artificial intelligence, and behavioral biometrics, which is based on natural human/device interactions such as the way you type numbers on a keypad—the cadence, your normal patterns."
“2018 security budgets will certainly increase year-over-year for U.S. companies that handle any customer data of citizens within the European Union, due to the EU’s General Data Protection Regulation (GDPR) going into effect,” said Cam Roberson, director of the Reseller Channel at Beachhead Solutions. “With an enforcement date of May 25, 2018, organizations doing business in the EU must (very quickly at this point) get moving on compliance. If they don't, that security budget might end up instead going to regulators, since penalties for non-compliance can reach up to 20 million Euros or 4% of annual revenue -- whichever is higher.”
Investing in People and Processes
Colin O’Connor, VP of Security Operations at national enterprise cybersecurity firm ReliaQuest, predicts that in 2018, security budget increases will go toward investing in people and processes, a change from the past, which saw higher investments in security technologies. “Why are companies increasingly investing in people and processes?” O’Conner asked. “In short, to maximize ROI on their existing security investments and solutions. Without the right security environment — qualified and skilled staff to manage the technology and correct processes to ensure operations are running effectively -- security technology investments cannot be fully maximized.”
A Shift in Security Technology Spending
Most security spending is on perimeter security, such as firewalls, penetration testing (red teams), anti-phishing training and intrusion detection, according to Lev Lesokhin, EVP Strategy and Analytics at CAST. Historically, there has been a huge imbalance between perimeter versus application and data security spending. Expect to see a shift in that spending imbalance in the coming months. Security budgets are focusing more on application and data security as IT teams become more proactive and sophisticated in their cyber capabilities.
More Money Yes, But Not Covering the Basics
You can spend more money, but you won’t always be able to fix the most basic security problems. “Organizations will continue to increase spending on security and new solutions, but will struggle to keep up with basic security hygiene such as patching,” said Morey Haber, vice president of technology at BeyondTrust. “Hackers will continue to penetrate environments leveraging known vulnerabilities where patches have existed for quite some time.”
Not Everyone Will Increase Spending
"I predict security budgets will increase, by 10-20 percent,” said Robert Douglas, president of PlanetMagpie IT Consulting. “However, this will only happen in 20-30 percent of businesses. Just over 50 percent will not increase their budgets, trusting that their existing protections will suffice. The smart ones realize this isn't true at all.”
Keeping the Status Quo
Rather than spend more money; the focus should be on getting the optimal use from the solutions we already have. "Most security budgets will maintain at their existing levels, as organizations attempt to operationalize their current investments in perimeter security, endpoint protection, log management, and patch management solutions that are required by various compliance standards,” said Jim Broome, president of DirectDefense.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba