Simply investing larger amounts of money, however, is not a remedy and does not ensure higher resiliency for the organization. Spending wisely and appropriately is the true challenge, so as to maximize the Return on Investment (ROI). A high priority is not only to identify the strengths and weaknesses of the current infrastructure and discover where cybersecurity needs improvement, but also look at which assets are worth defending and the most effective (and cost-effective way) to do so.  It is also important to recognize that technology alone is not enough to safeguard the workplace. The role of the workforce in cybersecurity is growing.

Pinpointing exactly how much a company spends on IT security is difficult, as research and advisory company Gartner explains. Security costs are often hidden in other purchases or services. For example, they could be related to the addition of security features in a production software, or to training that is normally mandated and paid for by HR. “Gartner’s view is that enterprises should be spending between 4 and 7 percent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk.” This would include “explicit security spending [that] is generally split among hardware, software, services (outsourcing and consulting) and personnel.” According to the company analysts, worldwide spending on IT security will reach 8.7% in 2019, up $124 billion; this is a higher increase than that of general IT spending, which is expected to grow only by 3.2%. This is due to the changes in regulations and the need to comply with newer privacy laws such as the GDPR. The International Data Corporation (IDC) goes further and expects “a compound annual growth rate (CAGR) of 9.9%. As a result, security spending in 2022 will be 45% greater than the $92.1 billion” that the company had forecasted for 2018. Banking, discrete and process manufacturing will be the driving forces for this increase. Currently, companies are concentrating mostly on technical countermeasures and, in particular, on proper authentication and authorization technologies as well as endpoint protection software. Ensuring that only authorized personnel have access to data is one of the main areas of focus for any business. This is in order to ensure the protection of sensitive data but is also in response to regulatory compliance requirements.   Another growing expenses for 2019 is projected to be the purchase of security analytics, intelligence, response and orchestration software (AIRO) and network security software. In addition to the already mentioned identity and access management software, updated network security software in particular is going to be on the list for many companies this year and next. There will be an especially strong focus on endpoint security software and security and vulnerability management software.

Integrating authentication and authorization technologies are both important key elements in which companies need to invest. Applying endpoint protection software, including good malware and ransomware protection, is paramount to creating that layer of barriers that protects users from common intrusion attacks. However, there are also other items a cybersecurity budget should be spent on in order to better protect the IT infrastructure from today’s most common threats. Helping the organization withstand phishing/pretexting, preventing breaches due to outdated software and keeping pace with the changing needs of the organization and the world are important points. Let’s look at some of the items that an organization’s IT security budget ought to prioritize:

Workplace awareness training to prepare employees for cyberattacks they are most likely to face

Investing in educating personnel on ways to be resilient in the face of cyber-risks posed to digital assets is one of the smartest expenses, with the highest ROI, according to Osterman Research. Employees can be a powerful deterrent to data breaches.  Security, in fact, goes far beyond just purely employing technical measures. In many situations, hackers exploit what is considered to be one of the weakest links of the cybersecurity chains, the user, through methods that are virtually impossible to detect through software and hardware means. Social engineering tactics like pretexting, phishing and spearphishing are all prevented by awareness, not technical countermeasures. Training employees can be achieved in many ways and even using creative approaches that can be actually cost-effective. Posters, contests, tip-of-the-day emails, formal training and computer-based courses can all help raise awareness. In order to structure a complete, meaningful security awareness and training program, companies can also review NIST Special Publication 800-50.

Cyber-education to upskill staff

Maintaining and developing the skill sets of the IT workforce can also bring a great ROI. In particular, making sure to have a proper certification program is a great way to make sure the IT employees have always updated skills in their specialty. There are many benefits of paying for an employee’s professional certification and such an effort is especially important for cybersecurity personnel that are always facing new challenges in an ever-evolving field.

Patching

It might seem like stating the obvious, but patching is an important element of a good cybersecurity strategy and should always be a priority for the IT team of any organization. Unfortunately, this aspect is often overlooked by managers who would rather dedicate time and energy to other areas.  Lack of patching is often identified as the culprit of important breaches. One notable example is the 2017 Equifax breach, where the persona data of 147 million people was breached because an Apache Struts flaw had not been patched.  Companies should invest resources in making sure patch management is an integral part of the weekly routine and that software and firmware is always up-to-date and secure. Strategies should be implemented to make sure automated patch application processes are in place and that all fixes are tested and deployed as soon as they are available; this is also very important for regulatory compliance.

Change management

Change is an ordinary matter in everyone’s life, and this is true for companies as well. Organization not only have to deal with their own shifting requirements but also need to adapt to ever-changing cybersecurity scenarios. Change management plans are as important than any other items discussed before and involve preparing for technological evolution as well changing processes, training needs and organizational/mission shifts.

Third-party IT security services for risk management

What if a company can’t handle all the requirements of a proper cybersecurity strategy with in-house staff? According to IDS, this is one of the fastest-growing categories of spending for companies in 2019. In Europe, more than half of the actual security spending will go into services with a particular focus on managed security services that are expected to reach 14.2%. A report by Forrester showed that, already in 2018, security services spending was higher than product investments. Gartner also noted that security services are expected to represent at least 50% of security software delivery by 2020.  It is clear how many companies are deciding to rely on the expertise and resources of external parties that specialize in the field rather than attempting an in-house-only defense system. This is often seen as a cost-effective measure and allows the company to have constant access to experienced personnel, as well as the latest technology, without too much overhead.  Utilizing third-party vendors for security testing and risk management is also on the rise. Activities like proactive penetration testing, which is used to hack into a network or application to illustrate what an attacker might be capable of when targeting a particular system, is often done through third parties. Outsourcing cybersecurity services is not always the solution. But for many companies, especially small and medium ones, it can lower costs of operating an internal security operations center (SOC) and hiring in-house IT security specialists or a team of experts. Investing in external third-party managed security service providers (MSSPs) can also ensure 24/7 monitoring and analysis at a controlled cost.  Of course, employing a third-party vendor means that employees external to the organization have access to the network and/or most critical data, so companies must gauge whether the benefits outweigh the risk.

Sometimes a company is unable to protect some assets in a cost-effective or efficient way. In those cases, after evaluating the risks and the potential consequences of an incident, a business can consider cyber insurance to protect itself from Internet- and IT infrastructure-based risks.  This solution provides business owners some peace of mind in case of cybercrime or an accidental data breach. Policies vary and the company is still liable for the costs of the breach, legal claims and remediating any losses suffered by their customers or clients, but cyber-insurance can help the company defray the costs. It cannot help with the damage to the reputation of the company, obviously. An organization should also fully understand the limits of the coverage to prevent being surprised at what the policy really covers after a malicious event. Such solutions can cover direct costs of data losses as a result of denial-of-service attacks and malicious hackings, for example, but it can also cover liability for losses caused to others and even periodic audits and investigations. It is also important to ensure investment in products that have a proper revision program. This is so you can deploy patches and updates quickly in response to the fast-moving IT threat world.

Conclusion

So what is the best strategy for your cybersecurity spending? This will of course depend on the company’s size, budget, scope of work and mission, but cybersecurity is never a waste of money. Devoting as many necessary resources as possible and increasing the budget is necessary, but knowing what to spend it on is the real challenge. Attention ought to be not on how much organizations spend on, but what they invest in — e.g., security technologies and the people who run them.  In addition to the obvious security software and hardware tools, it is important to also think of how to increase the readiness of staff who play an effective role in the organization’s cyber-resilience. The workforce would be more of an asset if properly skilled or trained, so filling any knowledge gaps and increasing awareness is a must. Therefore, apart from the budget on network security equipment, third-party cybersecurity services and cyber-insurance for infrastructure protection, it is wise to spend on user education for the creation of a “human firewall.” This remains the most effective resilience strategy in the face of user-related vulnerabilities, including phishing attacks and business email compromise attempts to infiltrate organizations. Ultimately, a security-savvy labor force integrates with and improves the work of any of the technologies and endpoint security systems implemented.  

Sources

Implement a Security Awareness and Training Program, Center for Internet Security SIEM, UEBA, and SOAR – What’s the Difference?, American Security Today What is cyber insurance and why you need it, CIO Is your company spending enough on their cyber security budget?, Information Age How Much Should Your Company Invest in Cybersecurity?, BlackStratus Where Should You Be Spending Your Cybersecurity Budget?, BitSight Technologies The Future of Companies and Cybersecurity Spending, RSAC Contributor How IT departments will spend $3.8 trillion next year, Business Insider Why testing user behavior is crucial to your cyber security, Information Age Gartner Says Many Organizations Falsely Equate IT Security Spending with Maturity, Gartner, Inc.