A Naval cryptologic technician works with a high school student at a CyberThon in Pensacola, Fla. Today’s columnist, David “Moose” Wolpoff of Randori, says companies spend too much money on tools they don’t use. Better to invest in people and train them so they really know how to use the tools. (Official U.S. Navy Imagery CC BY 2.0)

It’s an age old question for any company: How much should it spend on security? The answer: less than it spends today. The more companies spend on security, the more they shift revenue from other resources. And if the business isn’t more secure, it’s hurting another part of the business.

Security teams really need to ask: “If I invest in this product, will I reduce risk by so much that it positively impacts the company’s bottom line?” In the vast majority of real-world cases, massively inflated security budgets represent a huge waste of resources, and also contribute to an overarching artificial hubris that has led the security community to misconceive the very meaning of the word secure.  Said another way: companies that increase security spend by checking boxes are creating purely cosmetic change, and it’s only increasing the company’s attack surface.  

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.