Enterprises seem to be getting the message, at last, that security posture cannot be measured by pocket depth as budgets get cut by a third.
According to the latest PwC 'Global State of Information Security Survey' security spending has dropped by a third in the last 12 months. But is business spending that reduced budget wisely? SC Media UK has been finding out...
The annual PwC information security survey is always good for a host of key results. The 2018 report doesn't disappoint in this regard. Only 49 percent of organisations conduct penetration tests yet 28 percent have no idea how many cyber-attacks they suffered last year.
Or how about only 44 percent of organisations in the UK that formally work with others in their industry to reduce potential future risk of attack, compared to 58 percent globally?
Oh, and only 53 percent have any cross-organisational team working on cyber-security issues within the enterprise itself.
All of which would be food for thought, but when you also consider that security budgets have dropped by a third (from £6.2 million to £3.9 million on average) the analytical indigestion really starts to kick in.
You only have to read the news here on SC Media to see that there is little slowdown in the rate of compromise, the number of headline-creating breaches. Which leaves us wondering whether the enterprise is spending its reduced budget on the right kind of cyber-security or is just continuing to throw good money after bad, albeit less of it?
Mark Kedgley, CTO at NNT, admitted that "wasted money in cyber-security never ceases to pain and amaze us" continuing "we meet plenty of disillusioned cyber-security teams who have wasted money that could have been better spent, usually on products that are too difficult to use or take too long to deliver results, all at the expense of their security." Kedgley argues that focus on core security tasks is often being lost by the turning of heads toward the most hyped new innovation. "As with most things in life" Kedgley told SC "it's important to get the basics right first and in cyber-security."
Fraser Kyne, EMEA CTO at Bromium, agrees that businesses are often throwing their money at the wrong security tools. "Organisations have spent millions upgrading to next-gen security solutions with ‘AI-driven threat detection' and ‘cloud-based behavioural analysis' but they are just getting faster at failing" he insists. "This is because the whole detect to protect model is fundamentally flawed" Kyne told us "trying to protect organisations using detection tools is like trying to catch flies with a fish net."
Steve Mulhearn, director of enhanced technologies UKI & DACH at Fortinet, is more upbeat though. He sees customers being faced with a fast evolving threat landscape, making process and cultural changes to tighten security by restricting what employees can do on the Internet. "This is alleviating pressure on budget spending on traditional prevention technologies" Mulhearn reckons "and allowing a shift to true value added solutions such as sandboxing."
Steve Nice, chief technologist at Node4, told SC Media UK that "frankly, the scale of today's security challenge is often outstripping the resources and capabilities of in-house teams. In many cases, the best approach may be to utilise a managed service. This can allow businesses to access industry-leading expertise and advanced monitoring tools that might otherwise be impractical, while also improving their security resilience."
Ian Trump, chief technology officer at Octopi Managed Services, was equally frank. "Enterprise security is failing at a most basic level" Trump insists "and due to that the security vendor solutions are failing or are being ignored entirely." Trump doesn't think this is necessarily the fault of the vendors though. "If the basic enterprise security tasks such as vulnerability management and administrative account control are not practiced with discipline and rigor" he concludes "then the platform on which we heap security solutions is structurally unsound."
We will leave the last word with Javvad Malik, security advocate at AlienVault, who points out that while it's hard to pin down specific reasons as to why cyber-security budgets have been cut for many enterprises "it could be that despite years of increased spend, the breaches continue to roll on; forcing companies to rethink their strategy on cyber-security." As Malik concludes "greater spend doesn't always equate to better security; rather investing in the right areas is what is needed more often than not."