Are companies spending their IT Security Budget on the wrong things?

Newly published research reveals that data breaches are on the increase—up 5% over the past year. That doesn’t sound like much, but it equates to just over a quarter (26%) of surveyed organizations suffering a breach during 2016 and almost a third (30%) considering themselves very vulnerable to data attacks. This despite almost three quarters (73%) of the organizations surveyed reporting an increase in security spending, up from 58% the year before.

Doing the math isn’t difficult here—businesses are spending their IT security budget on the wrong things.

Don’t mis-place your IT security budget

The top spending priorities uncovered in the research were network and endpoint related, while data-at-rest solutions were way down the list. This seems to be rather counterintuitive when you think about it, as encrypting data-at-rest is probably the single most effective way to ensure the privacy of that information. Endpoint security isn’t dead in the water, but it sure isn’t the be-all and end-all of a strong security posture either.

As former Cisco CEO, John Chambers, famously said, “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.” What he meant was that the time has come to stop throwing more money at trying to prevent a breach, and instead spend it on threat isolation and mitigation.

Consider the network to be a threat sensor that provides visibility into traffic flow, and thus returns intelligence to identify security threats. Consider the network as an enforcer, backing up your security policy to define segmentation, reduce the attack surface, and prevent threats from skipping laterally across the network.

It’s about best practice not compliance

In speaking with organizations, the reason for the spending mismatch is that compliance and not best practice usually heads the spending drivers. While compliance requirements are important to remember, we mustn’t forget that there are other considerations when it comes to building a strong security posture.

As Ian Trump, Global Cyber Security Strategist for SolarWinds MSP, is always keen to point out, the best security strategy is one that goes back to basics. The UK government Cyber Essentials scheme is one good example of the kind of basic security controls you need. To get a Cyber Essentials certificate your organization must have boundary firewalls, a secure configuration process, user access controls, malware protection, and patch management in place.

Allow your security strategy to evolve

But it’s also imperative that your security strategy is as dynamic as the threatscape it must defend against; data protection must evolve to match not only today’s threats, but tomorrow’s as well. What do I mean by evolving threats? Well, the two big threats that evolved into headline-spinning events last year were Denial of Service attacks and Ransomware.

Protecting against these involves a sideways look at security spending, to include the likes of fallback broadband connectivity and multi-factor backup routines. Neither are traditionally within the security remit, but the ever-changing threatscape demands they should be. Then there’s the cost of worrying about yesterday’s threatscape. Ask yourself if your organization has a process to decommission old IT security products—this security bloat costs money and protects very little.

None of us inhabits that ideal world where the IT security budget is sufficient to cover all threat bases without exception. Back in the real-world, prioritizing spending to ensure the best security for your organization is an essential piece of the data protection puzzle.

Increasingly, security spending as a capital expense is on the decline and as an operating expense it’s rising. This is a good thing as it keeps your costs down and your security posture strong. After all, spending money on the latest security solutions without trained staff that can properly configure and maintain them is both a waste of money and does nothing to keep you secure. It’s far better to buy into a service with trained staff, and let them do it for you.