When it comes to corporate budgeting, it's tough all over. But few places are feeling the pinch more than the office of IT security, where compliance and data security needs seem to be growing exponentially, but budgetary allowances – not so much.
“In one sense, security sells itself when you read the daily headlines,” says Arieh Shalem, chief information security officer for Orange, one of Israel's top three wireless telecommunications firms with about three million subscribers. “In another, it is more like insurance, so it's difficult to establish a true return on investment.”
The benefit, of course, is to be able to comply with regulations, handle data with integrity, ensure uninterrupted operations and guard the company's intellectual property and reputation, he says. “How do you measure those things?”
Indeed, recent surveys point out that, on average, security may only receive about one percent of an enterprise's overall information technology budget. This is typically because IT security is seen as a cost center rather than an expense deterrent and, as Shalem point out, it's often difficult to gauge the real ROI unless and until there is a large-scale breach.
Fengmin Gong, co-founder and chief strategy officer, Cyphort
Brian Levine, director of cloud security, Syncplicity
Mac McMillan, co-founder and CEO, CynergisTek
Scott Montgomery, chief technology officer of global public sector, Intel Security
Lysa Myers, security researcher, ESET Al Pascual, senior analyst for Javelin Strategy & Research
Rob Sadowski, director of technology solutions, RSA
Jeff Schilling, chief security officer, Armor
Arieh Shalem, chief information security officer, Orange
Brian Levine, director of cloud security at Syncplicity, a Santa Clara, Calif.-based provider of secure file-sharing and collaboration solutions, says that for organizations on a budget, “perfection is not attainable, and regardless of how thorough your security program is, there will always be residual risk.” It is a bind, he says, between “being right all of the time and prioritizing controls based on ROI and strategic initiatives.”
The key challenge for CISOs is that they need to make a major advance in their capabilities “to detect and respond to today's threats with what is, in most cases, a minor advance in budget,” says Rob Sadowski, director of technology solutions for RSA, a Bedford, Mass.-based network security provider. Further, he says CISOs have to balance the operating cost of existing solutions with the acquisition and operating costs of major new solutions. This challenge is also compounded by rising personnel costs as attracting and retaining qualified security staffers becomes even more important, Sadowski adds.
Scott Montgomery, chief technology officer of global public sector for Intel Security, a global computer security software company headquartered in Santa Clara, Calif., says the challenge for IT security is that the budget is finite and the talent pool is extremely shallow. “You have to spend some of your budget and labor on compliance and regulatory considerations, the number of attacks continues to increase and, most importantly, the number of IP-enabled devices is exploding.”
All these factors create an unsolvable math problem for practitioners who control two things: the methods they choose to employ and the efficiency of their labor hours, he says.
Lysa Myers, security researcher for ESET, an IT security company with U.S. headquarters in San Diego, points out that when budgets are tight, it can be hard to “soothe the feeling that you may be putting too much emphasis on one thing while leaving gaping holes elsewhere.”