Cybersecurity spending: more does not necessarily mean better
Cybersecurity is not something you can just buy, but something you should thoroughly build.
A couple of weeks ago, I had a great opportunity to explore the APAC cybersecurity market and meet many brilliant people during Black Hat Asia 2016. Singapore’s economic miracle made its cybersecurity market as attractive as the North American one, attracting the largest security vendors to the region.
Advanced Persistent Threat (APT) protection, Threat Intelligence, Enterprise Immune Systems, Cloud Access Security Brokers (CASB), User and Entity Behavior Analytics (UEBA) – these are just a few of the offerings currently available on the cybersecurity market. I bet that many security industry professionals (including myself) hardly understand the real meaning of some of these terms, or to be more precise - the real difference between them and the generic terms existing for years. But this is a topic for a dedicated article, and in this piece we would rather concentrate on cybersecurity budgets and related challenges.
Cybersecurity budgeting should start with a holistic and comprehensive risk assessment. Once all threats and vulnerabilities are listed and prioritized, companies can proceed to properly managed RFP to select right security controls. A security control shall assure appropriate, efficient and continuous risk mitigation in accordance to corporate risk strategy and risk appetite. However, in reality things happen in much different and less effective way.
This year, Obama asked for a $19 billion cybersecurity budget across the US government (an increase of $5 billion), as computer attacks were among the most imminent security challenges facing the United States. The UK government will also double cybersecurity funding to fend off ISIS cyber-attacks. Meanwhile, Gartner predicts cybersecurity spending to hit $170 billion by 2020. This sounds very promising for the cybersecurity industry, however we need more facts to understand the real state of affairs.
An alarming signal comes from PwC’s State of Cybercrime Survey: almost half (47%) of respondents said that adding new technologies is their main spending priority, higher than all other initiatives. Only 24% said that cybersecurity strategy redesign is a priority, and as low as 15% see priority in cybersecurity knowledge sharing. This means that companies spend their budgets on new technologies, before conducting proper risk (re)assessment and quite often omit cybersecurity RFPs best practices. This explains why, regardless of all the above-mentioned budget increases, the average cost of cybercrime rose again in 2015 to $7.7 million, while overall cybercrime costs are projected to reach $2 trillion by 2019.
According to EY’s Global Information Security Survey 2015, 69% of respondents say their information security budget needs to rise by up to 50% to protect the company in line with management’s risk tolerance. At the same time, only 40% of the respondents hold an accurate inventory of their ecosystem (data, network connections, third-party providers), and as few as 34% would rate their security monitoring as mature or very mature. When even the basic cybersecurity requirements are not met, we cannot spend on new technologies – it’s like treating a cold, yet ignoring a cancer.
According to the above-mentioned PwC survey, as many as 91% of the respondents have adopted a risk-based cybersecurity framework, such as ISO 27001 or NIST Cybersecurity Framework. However, as we can see from the numbers – “adoption” does not necessarily mean proper implementation and maintenance of the framework. External experts and partners, company employees and top management should all participate in risk identification and cybersecurity knowledge sharing. Otherwise, you may overlook critical risks, or mitigate wrong risks spending money on something you don't need.
Risks should be carefully and continuously monitored and re-assessed before spending any money on new defensive technologies against emerging threats that are quite often exaggerated by vendors, or just not applicable to the corporate IT infrastructure.
Jan Schreuder, Partner, cybersecurity leader from PwC Switzerland comments: “We are also seeing that many organizations are investing in security technologies without first having the people with the skills to properly implement or operate those technologies. Investing in improved cybersecurity capabilities starts with people - recruiting and training people with the right skills, or getting access to them through a service provider. When you have the right people in place the return from your investment in security technologies increases exponentially, in the form of risk reduction or enablement of your business. In my view the most effective security teams have "smart people with smart tools" - without the smart people the tools will never be that smart.”
Therefore, if we don’t want the cybersecurity bubble to burst, we should first think which risk a particular cybersecurity product or solution mitigates, then ask ourselves if all the risks with higher priority have been already addressed, and only after, we should start conducting an RFP to select the most competitive product on the market. Otherwise, you’re pouring money down the drain.