Should You Spend More Money to Avoid Breaches?
We asked 70 cybersecurity professionals, old and new: How is it that cybersecurity spending is increasing but breaches are still happening?
We highlighted what a few of our contributors had to say below. Tweet us @threatcare whether you agree or disagree, or to show us your own answer to the question!
Is the spending increasing? Or are we witnessing companies that never (or barely) invested in security finally allocating money for this function? That’s a conversation no one wants to have.
Many companies are operating in deep technical debt, running legacy applications and systems that are unable to be secured. The need to appease stock analysts and shareholders has historically influenced decisions around product time to market, using cheap foreign labor for development, and running “lean” IT shops. As a result, security is an afterthought or not a thought at all. The retail industry is notorious for this.
Moreover, when companies do get money to invest, they want to skip the basics and either go for the shiny toys or perform “reduce the scope to check the compliance box” security programs. All of this leads to gaps in postures.
Therefore, the people, process, and technology fails…leading to continued breaches.
— Keirsten Brager, @KeirstenBrager
People and organizations seem to think they have to spend a massive amount of money to secure their infrastructure because that’s what they’re often told by the media, sales, or otherwise. People will drop all kinds of money on the fancy security appliance that does all the things, but at the end of the day, they probably don’t know how to use it properly, and they probably didn’t even realize they could have spent all that money on qualified individuals to implement most of these same features on free or open source software. Spend the money on training and recruiting the talent it takes to secure your organization instead of on the fancy box with all the bells and whistles.
— Whitney Champion, @shortxstack
I’m not sure that those metrics are correlated at all. Security is increasing and we’re actually seeing, by all industry metrics, that the number of breaches are decreasing. We’re hearing a lot more about breaches these days, so it seems like things are increasing, but I don’t know whether that’s actually accurate. It’s more of a perception issue. We’re also finding things that have existed for years.
— Robert M. Lee, @RobertMLee
Hackers gunna hack.
— Jim Manico, @manicode
Spending is not really up, actually. In most organizations, it’s flat or even down. And this is speaking as somebody who was trying to build a startup in the information security area and sell a product; budgets are down across the board. It’s largely because security is constrained to IT budgets, which have to do more with less every year.
But, at the same time as budgets are staying flat or even going down, at least in my view of the industry, the number of attack surfaces has dramatically increased with movement to the cloud. The number of information systems and tools is much larger than it’s been in the past because we rely on technology a lot more. And the number of devices that are being used to access information has gone up because we’re all running around with a couple of phones and a tablet in addition to a laptop or three. So, when you increase the attack surface by an exponent of 5 or 6, and you don’t spend any more on security—or even less—and you don’t change any of your existing information security practices (such as not patching on time), then it just makes your organization as a whole a lot more vulnerable.
Not only is there way more stuff to attack than there’s been in the past, there are a lot more people doing it because criminals have figured out that they can steal a lot of money by compromising information systems.
— Robert “TProphet” Walker, @TProphet
Remember to subscribe to our weekly Risk Report to get first-hand access to our Amazon order link.