When it comes to corporate budgeting, it's tough all over. But few places are feeling the pinch more than the office of IT security, where compliance and data security needs seem to be growing exponentially, but budgetary allowances – not so much.
“In one sense, security sells itself when you read the daily headlines,” says Arieh Shalem, chief information security officer for Orange, one of Israel's top three wireless telecommunications firms with about three million subscribers. “In another, it is more like insurance, so it's difficult to establish a true return on investment.”
The benefit, of course, is to be able to comply with regulations, handle data with integrity, ensure uninterrupted operations and guard the company's intellectual property and reputation, he says. “How do you measure those things?”
Indeed, recent surveys point out that, on average, security may only receive about one percent of an enterprise's overall information technology budget. This is typically because IT security is seen as a cost center rather than an expense deterrent and, as Shalem point out, it's often difficult to gauge the real ROI unless and until there is a large-scale breach.
Fengmin Gong, co-founder and chief strategy officer, Cyphort
Brian Levine, director of cloud security, Syncplicity
Mac McMillan, co-founder and CEO, CynergisTek
Scott Montgomery, chief technology officer of global public sector, Intel Security
Lysa Myers, security researcher, ESET Al Pascual, senior analyst for Javelin Strategy & Research
Rob Sadowski, director of technology solutions, RSA
Jeff Schilling, chief security officer, FireHost
Arieh Shalem, chief information security officer, Orange
Brian Levine, director of cloud security at Syncplicity, a Santa Clara, Calif.-based provider of secure file-sharing and collaboration solutions, says that for organizations on a budget, “perfection is not attainable, and regardless of how thorough your security program is, there will always be residual risk.” It is a bind, he says, between “being right all of the time and prioritizing controls based on ROI and strategic initiatives.”
The key challenge for CISOs is that they need to make a major advance in their capabilities “to detect and respond to today's threats with what is, in most cases, a minor advance in budget,” says Rob Sadowski, director of technology solutions for RSA, a Bedford, Mass.-based network security provider. Further, he says CISOs have to balance the operating cost of existing solutions with the acquisition and operating costs of major new solutions. This challenge is also compounded by rising personnel costs as attracting and retaining qualified security staffers becomes even more important, Sadowski adds.
Scott Montgomery, chief technology officer of global public sector for Intel Security, a global computer security software company headquartered in Santa Clara, Calif., says the challenge for IT security is that the budget is finite and the talent pool is extremely shallow. “You have to spend some of your budget and labor on compliance and regulatory considerations, the number of attacks continues to increase and, most importantly, the number of IP-enabled devices is exploding.”
All these factors create an unsolvable math problem for practitioners who control two things: the methods they choose to employ and the efficiency of their labor hours, he says.
Lysa Myers, security researcher for ESET, an IT security company with U.S. headquarters in San Diego, points out that when budgets are tight, it can be hard to “soothe the feeling that you may be putting too much emphasis on one thing while leaving gaping holes elsewhere.”
When resources are scarce, she says, it's vital to take more time in planning. “It's important to do a thorough and ongoing risk assessment to see clearly what your assets are and whether they're being adequately protected,” Myers says. Having a culture of security is also a big part of making sure coverage “sticks,” she adds. “You can have the best coverage in the world, but if people are undermining protections, it will all have been for naught. It's important to educate your employees and staff early and often.”
As with most trends, some industries have been more adversely affected than others by the growth of IT security concerns and the continued stretching of financial resources working at odds. Often, this is affected by how highly regulated the industry is – and therefore, how much of an investment is expected for compliance just to stay ahead of regulatory concerns – as well as how much individual enterprises in a sector have already fallen prey to big breaches. Industry experts like Myers, for example, report that anecdotally they are seeing more retail companies increasing their IT security budgets in the wake of highly publicized attacks at Target, Home Depot, Michaels and several other prominent retailers. On the other hand, given the razor-thin margins on which most retailers are operating, it's difficult to spend too much more.
With the basic pressure around operating costs and lower returns, everyone is affected, says Mac McMillan, co-founder and CEO of CynergisTek, an Austin, Texas-based information security and privacy consulting firm. But, McMillan and other industry insiders point to the health care and government sectors as the ones feeling the greatest pinch, as these both have a lot of bases to cover with IT security coverage and represent increasingly popular targets for hackers. Plus, both are subject to intense compliance scrutiny. And yet, McMillan says, unlike financial services, where there are typically iron-clad best practices and audit practices, many health care industry CISOs may not have the leverage to demand higher IT security spending. In health care, he adds, 95 percent of CISOs work for the chief information officer or a direct report of the CIO, two or three levels removed from the CEO and the board.
The medical industry vertical is by far the most targeted and least prepared to limit the success by cybercriminals and nation-state level attacks, according to Jeff Schilling, chief security officer for Armor (formerly FireHost), a cloud computing security provider with headquarters in Richardson, Texas. [The company changed its name from FireHost to Armor as part of a rebranding in August].
“They have rich targets of groundbreaking medical research and valuable customer data, but have a corporate culture of putting their biggest investments in saving lives versus protecting data,” Schilling says. “I cannot argue that those priorities are wrong, but it does create a quagmire of security professionals trying to protect important data with very limited resources.”
Schilling adds that CISOs of medium to large corporations are often placed in a “Kobayashi Maru scenario,” referencing the famed no-win training exercise first presented in Star Trek II. Regulations and standards are forcing security leaders to fight with a decade-old strategy wherein they must try to protect their whole infrastructure from cyberintrusion, he says. “But that is not winnable, no matter how much instrumentation, Big Data analytics and artificial intelligence you throw at the problem,” Schilling says. Since most threats target two percent of networks with the crown jewels of assets, he says that innovative CISOs are treating the other 98 percent as contested space and focusing on ensuring the two percent is hardened and that any connections from the contested space has adequate sensors and is whitelisted.
Orange's Shalem agrees, saying that many of his security executive peers talk about increasing perimeter security, better protecting data through encryption and more access controls, establishing breach contingency plans and purchasing cyberinsurance. They are talking about building taller and wider walls, he says, to increase threat prevention systems, despite knowing that breaches are inevitable. IT spending needs to reflect the fact that if an enterprises has not already been breached, it will be soon, he adds. As part of this strategy, he advises, more dollars should be diverted to behavioral anomaly detection and active breach detection.
On a similar note, Fengmin Gong, co-founder and chief strategy officer for Cyphort, a Santa Clara, Calif.-based security firm, says he is seeing more adaptive and sophisticated organizations adopt a “continuous monitoring, diagnostics and mitigation approach” instead of employing and outdated “deploy and forget” approach. These businesses are using new tools to automate detection and incident response to make the most out of limited staffing, he adds.
Also, McMillan at CynergisTek (left) points out that smart and talented CISOs are evolving to “speak the language of business to translate their security requirements into business requirements” in order to win a larger budget and drive greater interest in IT security in general.
CISOs are also becoming more inclined to bargain-hunt. Al Pascual, senior analyst for Javelin Strategy & Research, is starting to see more security executives replacing solutions that were previously considered “must-haves” with those from more cost-effective competitors. “Comparison shopping and a willingness to test smaller, more innovative and cheaper solutions is becoming a trend,” he says.