Take a moment to think about your security budget. Has it increased over the past few years? If it has, has your security system done a better job at preventing or mitigating potential threats? Or does it feel like you are tossing money into a giant pit because no matter what you do or how much you spend, you just can’t get a good handle on cybersecurity protection?
The 2017 Thales Data Threat Report, conducted in conjunction with 451 Research, found that 73 percent of organizations increased their cybersecurity spending this year. Perhaps that’s not too surprising, since 68 percent said they experienced a breach. So it seems that while they are spending money on security, organizations continue to struggle with stopping incidents.
The reasons why and where companies spend their security budgets are as varied as the organizations themselves, the report found. However, they do share a common denominator: compliance. Nearly half (44 percent) said they focus their spending on compliance issues, while best practices and brand reputation follow close behind. But this could backfire, as Andy Kicklighter pointed out in a blog post about the Thales report, stating that too much focus on compliance in security spending is one of the reasons that many organizations are seeing a disconnect between security spending and the prevention of security incidents, adding:
The problem is that compliance requirements are now a minimum table stake given the nature of attacks, but evolve slowly compared to threats, and are typically designed to safeguard only specific pieces of information covered by the regulation or compliance regime. And the evidence is there that this approach just isn't working too - In spite of years of prioritizing compliance first, and investing to meet compliance requirements, the rate of data breaches keeps rising. Time after time, enterprises that were compliant have been breached.
Another concern is that organizations are implementing newer technologies, like the cloud or IoT, but don’t have the security tools in place to protect these specific areas. The study found that 63 percent of organizations are adding new technologies without having security tools in place, and this can cause gaping vulnerabilities.
This goes hand in hand with some of the comments I received about the report. Many experts think that as we move into new technologies, our security funds continue to be spent on outdated ideas. For example, Willy Leichter, VP of Marketing with CipherCloud, told me in an email:
Many businesses have an outdated mindset when it comes to cybersecurity. Investments in network and endpoint security extend the old perimeter security model – get bigger locks to keep the bad guys out. But with the explosion of cloud computing, the network perimeter becomes irrelevant, as vast amounts of infrastructure, processing, and storage are done outside of legacy network boundaries. This change requires a challenging pivot – focusing on protecting data wherever it goes – not just in known locations.
And Julien Bellanger, CEO and co-founder with Prevoty, echoed that thought via email:
Enterprises are used to the concept of a perimeter, the network, and access doors, the endpoints, so naturally they focus spending on keeping the wall up to keep the bad people outside out. The reality is that this infrastructure only exists because of the software that runs on it, and that software does not live within a perimeter anymore. If you ask any infosec specialist what visibility they have in the threats that are attacking their software and data, they most likely will have no answer. This is where we need to focus our investment, intelligence and defense - for software and data wherever it is.
As Peter Galvin, vice president of strategy, Thales e-Security, pointed out in a prepared statement, all organizations need to address an increasingly complicated threat landscape. The most effective way to do this is to build security systems around the technologies you use and keep them up to date, rather than continuing to spend money on outdated and ineffective technologies and ideas.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba