The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year and that figure is nearly double the $2.2 million spent in 2010 all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.
[Case study: Security on a shoestring budget]
The question is, why? Why are security budgets rising but enterprises still are not getting the results hoped? "Many organizations are infatuated with buying the latest trendy thing, whether or not it makes the most sense for their specific security posture," says Jay Leek, chief information security officer at The Blackstone Group.
The 11th annual Global Information Security Survey of 9,600 executives also found that the number of organizations reporting losses of greater than $10 million per incident is up 75 percent from just two years ago. The costs of these breaches also are rising, with data breaches up 9 percent in 2013 from 2012.
One thing is certain the organizations are not spending on the technologies and capabilities best suited to help spot advanced attackers, such as malware analysis with only 51% doing so, inspection of traffic leaving the network (41%), rogue device scaling (34%), deep packet inspection (27%), or threat modeling (21%).
With all of this in mind, how do you tell if that increase in budget you received is being spent in the right areas?
The right staff
First up: make sure your team is well positioned when it comes to security staff.
"Figuring out if you are you understaffed or overstaffed can be tricky," says John Pescatore, director, emerging security trends, at SANS Institute. "If you have 10 firewalls, how many full-time equivalents does it take to manage them? If you have three people taking care of 10 firewalls, you either have really bad firewall managers or you should invest in a tool so that one person can manage those 10 firewalls," he says.
One way to evaluate staffing is to look at how many full-time equivalents are in the security program as a percentage of total IT positions. Another is to compare your security/general IT staff ratio with that ratio within your industry, and see how your security staffing stands in contrast to your peers, says Pescatore. "That's a good indication. Be sure to take into account how many full time equivalents may be in place through outsourcing arrangements, such as firewall management and monitoring," he explains.
Understaffing of security professionals is likely to create a situation where the organization will end up pushing unsecured projects into production, unable to properly respond to incidents, or properly maintain a healthy security program. This means that those who are there will be constantly jumping from one emergency to the next.
And when it comes to security budget spending, at least in the next few years, it would be wise to invest in people while organizations still can find those who are qualified. According to a just-released study from IT certifications provider (ISC)2, about 2.25 million information security professionals were working worldwide last year. That figure is expected to leap to 4.25 million in two years. And (ISC)2 expects that there could be a 47% shortage of security professionals qualified to fill those positions.
[How Colorado's CISO is revamping the state's information security -- on a $6,000 budget]
Our own "State of the CSO" in 2013 found that this demand for skilled IT security professionals is already straining organizations' ability to attract top security talent. It is the larger companies that are most likely to increase their security resources, with 42 percent planning staffing increases, compared to 37 percent of midsize and 26 percent of small organizations. In fact, finding and retaining skilled IT security workers was identified among the greatest challenges for 31 percent of large companies.
Out with the old
Another way to maximize security budget is to make certain the budget is as aligned with current security demands and applications as is possible. "We see a lot of security shelfware out there," says Javvad Malik, security analyst at The 451 Group. "In a recent survey we conducted, not a single respondent said that they have a process in place to actually decommission old IT security products."
Predictably, what ends up happening, year after year, is these enterprises acquire new security applications but don't decommission those in place, even though they're not in productive use. "They're scared that it might impact something, or fear it's too embedded into their processes even though they're not getting any value out of the application. They end up with all of this bloat that's just hanging around and costing them money," he says. While it may sound obvious, it's something many enterprises aren't doing: cull all of those security appliances and software apps that can be decommissioned.
Avoid the shiny
Andy Ellis, chief security officer at Akamai Technologies, says it's unfortunately all-too common for enterprises to buy security equipment that they don't have the expertise on staff to maintain, or they fail to set aside training budget. Before buying that SIEM, web application firewall, or malware forensics analysis software, Ellis has a set of questions that he says need to be answered.
- Did you have people who knew how to use the system?
- Were they able to apply themselves to installing, using, and maintaining, the system?
- Did the system actually have effect?
While a negative answer would indicate an ill-thought purchase, an affirmative answer doesn't mean that the budget was wisely deployed. "At least you didn't just throw it away, but if you can't say "yes" to all three of those questions, then you've wasted your money. How many SIEMs are out there that don't actually do anything because there are no operators to tune them," Ellis says.
Focus on the endgame
Blackstone's Leek argues that for years now, many enterprises have been too spending heavily on defensive technologies and not enough on incident response. "No matter how much you spend on defense, and how good you are at defense, or how wise you are with your budget, there will be attacks that get through. And not enough companies have been investing in their response capabilities. As a result they have very little ability to respond when the inevitable happens," he says.
[Hey CSOs: Suck it up and accept budget cuts]
With most enterprises spending a disproportionately low amount on response compared to defense, putting a good chunk of that budget increase toward response does sound like one of the best investments of all.
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.