Are You Really Spending Enough on Security?

Many CIOs endanger their companies simply by not spending enough on security.

That may seem odd to posit, given that a recent Pricewaterhouse Coopers survey found that businesses now spend a higher percentage of their IT budgets on security than ever before. According to the survey, large organizations spend an average of 11 percent of their IT budgets on security while small businesses spend nearly 15 percent.

But if you consider the proportion of the overall IT budget that businesses allocate to security, you’ll find a red herring. That's because the purpose of spending money on IT security — aside from ticking regulatory compliance boxes — is to reduce the risk of a security breach to an acceptable level. The amount of spending required to achieve this is not connected to overall IT spending in any way.
In the most basic terms, security risk is the product of the cost or financial impact of a security breach and the likelihood that a breach occurs. In other words, Risk = Cost x Likelihood.
It was using this equation that led Sony's senior vice president of information security, Jason Spaltro, to point out back in 2007 that "it’s a valid business decision to accept the risk" of a security breach, adding, "I will not invest $10 million to avoid a possible $1 million loss."
Sony may have made some spectacular miscalculations in terms of cost and likelihood, but Spaltro's economic argument for allocating resources to security is sound: There is no point in making any investment — in security or anything else — if the greatest possible return is less than the amount invested.
But let's get back to the initial idea that companies don’t spend enough on security. What the Sony security breach taught us is that most companies wildly underestimate the likelihood of a breach in their future.
Sony bases its estimates on events from the past; but in recent months, it's become evident that the security landscape has fundamentally changed.
In the past most security breaches were carried out by criminal hackers with limited resources and motivated by financial gain. This meant that their targets would yield financially valuable spoils such as credit card details, and if a target's defenses were too troublesome to overcome, the hackers would simply move on to another promising target with less-effective defenses.
In the same way that if you are being chased by a bear then it is only necessary to run faster than your buddy. Therefore having reasonable security measures in place was enough for many companies to ensure that hackers would move on and attack someone else.
The Sony attack was likely carried out by foreign-government-sponsored hackers or perhaps even military personnel. This is according to James Lewis, a security expert at the Center for Strategic and International Studies in Washington, D.C.
These types of attackers are highly skilled and have enough resources to breach any security defense they want to. And because it seems that they are motivated beyond money, such as the desire to cause financial or reputation damage, for example, there is no strong incentive for them to move on to the next target unless the defenses they encounter are high.
"Criminals are opportunistic. They just want to make money. But government-sponsored hackers will just keep trying and won't give up,” Lewish says. “The Sony hackers were vindictive. This was not done for money—it was politically motivated, and there was no effort made to sell the data they stole."
If hackers can breach any company regardless of its current defenses and they’re interested in getting their hands on everything—not just data they can sell—then the likelihood of a breach has gone up.
But it gets worse. The Sony hack has also taught us that the potential cost of a breach has risen. That's because government-backed hackers aren't looking to steal structured data, such as credit card information or social security numbers. The cost of losing this type of information is well known, and averages $201 per compromised record, according to the Ponemon Institute's 2014 Cost of Data Breach study.
Since hackers are often motivated by scoring political points, or causing a company embarrassment, these hackers look to steal and expose unstructured data, such as emails and other documents. Losing this type of data can lead to a drop businesses due to loss of reputation; senior executive resignations, as was the case in the Sony hack due to bad publicity; and legal headaches when confidential information is made public, such as pay differentials for male and female employees who do the same job.
"If you look at liability and the cost of lawsuits, this always turns out to be the most expensive part of a breach," Lewis says.
Because Risk = Cost x Likelihood, and since both the likelihood and cost terms have gone up, risk has increased on both fronts.
The purpose of investing in security measures is to manage security risk and ensure that it is reduced to an acceptable level. But what we've learned from the Sony hack is that the risk is actually higher than we previously believed. To reduce it to an acceptable level requires more investment in IT security.
"I think that most organizations should be spending more on security, but obviously the concern is that even if there is a 5 percent increase in the security budget, it doesn't mean it will be spent wisely," says Rick Holland, a security and risk management analyst at Forrester Research. "One of the biggest problems is chasing silver bullets—buying the soup du jour."
If government-sponsored hackers can break in to any company's IT infrastructure, then increasing spending on perimeter defenses may not be the right route. A more promising approach might be to invest in more effective intrusion detection systems to prevent hackers from exfiltrating data after they have broken in, according to Anton Chuvakin, research director at Gartner.
The good news is that there is new security technology on the horizon, and some of it looks like it will be a worthwhile investment. “Cutting-edge technologies show genuine promise and are already being used by enlightened companies," Chuvakin says. "Analytics may give a huge boost to defenders, as well as machine learning and threat intelligence. It's too early to say 'buy this and you'll win, but there is definitely light at the end of the tunnel."

CSO: http://ow.ly/LnSlb

« Proactive Cyber Security Strategies Improve Security Effectiveness
US: Comcast Ultra-fast Internet by 2016 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Ridgeback Network Defense

Ridgeback Network Defense

Ridgeback is an enterprise security software platform that defeats malicious network invasion in real time. Ridgeback champions the idea that to defeat an enemy you must engage them.

Information Network Security Agency (INSA) - Ethiopia

Information Network Security Agency (INSA) - Ethiopia

INSA's vision is to realize a globally competent National Cyber capability which plays a key role in protecting the national interests of Ethiopia.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Blueskytec (BST)

Blueskytec (BST)

Blueskytec has applied its experience of over three decades of working in the field of embedded systems and encryption to provide a scalable and appropriate technology for cyber-physical devices.

CyberMDX

CyberMDX

CyberMDX delivers proactive security built for hospital devices. 360° visibility, insight, and protection for all connected hospital technologies.

Aristi Labs

Aristi Labs

Aristi Labs provides comprehensive security solutions to help businesses protect data and intellectual property, minimizing downtime and maximizing productivity.

SecondWrite

SecondWrite

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware.

Trail of Bits

Trail of Bits

Trail of Bits combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

Panther Labs

Panther Labs

Panther’s mission is to make security monitoring fast, flexible and scalable for all security teams.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

Datastream Cyber Insurance

Datastream Cyber Insurance

DataStream Cyber Insurance is designed to give SMB’s across the US greater confidence in the face of increasing cyber attacks against the small and medium business community.

Grindstone Ventures

Grindstone Ventures

Grindstone Ventures is a post-seed fund that supports post-seed equity and quasi-equity investments in early-stage innovation-driven and/or technology companies.

Cyex

Cyex

Cyex helps people to become cyber wise. We enable our clients to find, track and improve cyber awareness in one place.