Australian infosec budgets are probably wrong: Deloitte

The global infosec mind shift must be translated into a budget shift, says Deloitte, and organisations that hold back on this change will suffer worse.

Australian organisations are lagging when it comes to shifting the focus of their information security efforts from merely securing their networks to detecting intrusions, responding to them, and building resilience, according to senior security and risk executives from Deloitte, the international consulting firm.

Deloitte divides an organisation's infosec spend into three areas, each labelled with an adjective.

"Secure" is the technology that protects critical assets against known and emerging threats across the ecosystem. This includes traditional network protection capabilities such as firewalls, anti-malware and anti-spam systems, and intrusion detection and prevention systems (IDS/IPS).

"Vigilant" is about having the intelligence and monitoring capabilities to detect both known and unknown bad-guy activities, and understanding the extent to which they're a risk to the business.

"Resilient" is about strengthening the organisation's ability to recover when incidents occur -- which they inevitably will.

Old-school network administrators will recognise this as an echo of the 1990s paradigm for network security: Protect, detect, react, and, the fourth stage added later, adapt. Or, in some versions, recover.

In the US, Canada, and the UK, organisations that have engaged Deloitte are now spending much less of their infosec budgets on "secure". In the US, "secure" is now only about 20 percent of the total, according to Kelly Bissell, Deloitte's global cybersecurity leader, and leader of its global incident response team.

"Most US companies are relatively mature when it comes to security, and they have seen where their budget around 'secure' is good enough. They've got enough firewalls and intrusion detection systems, and now they're moving much more of the budget into 'resilient' and 'vigilant' kind of functions," Bissell told journalists in Sydney on Wednesday.

"If I were to cut up a dollar spent on security for the US, 20 cents is spent on 'secure', probably 40 cents is spent on 'vigilant', and the rest is on 'resilient'," Bissell said. "The US companies have found that they have to be able to detect better when the bad guy's on the inside -- whether they're an employee or an external person -- and how to recover as fast as possible."

But while Australian organisations are demonstrating "a little bit more focus" on the "vigilant" and "resilient" areas, Deloitte's cyber risk leader in Australia, Tommy Viljoen, said that isn't necessarily translating into action.

"A little bit more is happening over the last 12 months about 'Are we resilient? Do we have the processes in place? Have we organised the necessary skills and competencies, so that if we are under attack, that we can do something about it? Are we prepared?' But if I look at where most of the budget spend is, from a number of organisations, it's still in that protection zone," Viljoen said.

"The mind shift that we're starting to see has not translated into budget shift," he said.

"I would say the 'secure' spend is still about 50 percent. I would say more of the budgets that I've seen in the last six months are focusing on the monitoring component, and the 'resilient' is still limited mostly to 'Let's do an exercise and see what happens. Let's play out a particular scenario ... that's a two-day event.' That's what's in the budget."

Bissell's advice from a global perspective is to adopt early to avoid some of the pain that the US has been suffering.

"I truly believe that the companies that hold back to the end are hurt the most -- unless they get lucky," he said. "I believe the companies who do best, and avoid the biggest problems, are the ones who are most proactive and learn from others' issues. That's the most lucky, if you will, of the companies."

Deloitte's comments came as the company announced the establishment of its new Cyber Intelligence Centre in Australia, linking with the company's existing intelligence centres in the UK, Europe, Canada, and the US.

James Nunn-Price, who established Deloitte's Cyber Intelligence Centre concept and oversaw its implementation in the UK in 2013, has moved to Australia this week to establish the Australian operation and become the company's Australian cybersecurity leader.

Nunn-Price was previously responsible for Deloitte's overall information security, resilience, and cyber advisory services to the UK government, and personally assisted the London 2012 Olympic Games leadership team with cyber incident response, crisis management, and forensics.

He also claims credit for the word "centre" in Cyber Intelligence Centre being spelled correctly.