Cybersecurity is becoming an unsustainable tax on business

The annual costs of cybersecurity are doubling for some firms as huge data breaches force them to hire specialists and buy more software.
Written by Tom Foremski, Contributor

The cost of cybersecurity has become a burdensome tax on business and with 1.5 million IT security jobs unfilled, US corporations are losing to sophisticated criminal gangs, said security experts at a recent event in San Francisco.

"Cyber is a tax on business. Jamie Dimon [JP Morgan Chase CEO] has had to double his cybersecurity budget to $500 million. Things can't continue this way forever, we have to get ahead of the problem," said Ray Rothrock (photo), a veteran VC, now chairman and CEO of RedSeal, a startup that measures the effectiveness of enterprise security.

He said that the size of the problem and the opportunities are what lured him out of retirement in early 2014 to run RedSeal. He made 53 startup investments including "over a dozen" in cybersecurity when he worked at VC firm Venrock.

JP Morgan Chase last year doubled cybersecurity budgets to $500 million and expects to spend the same amount this year. The financial services giant had a bad computer security breach in 2014 when 76 million household accounts -- two-thirds of all US households -- were compromised.

Chris Webber, security strategist at ID security startup Centrify said there are 1.5 million IT security jobs unfilled. It shows the size of the problem and that the criminals are winning.

"There are new security risks such as Apple's recent decision to speed up approval for software in its app stores. Will this let more malware escape scrutiny?" asked Domingo Guerra, co-founder and president of Appthority, a start-up that monitors mobile apps for data risks in the enterprise.

Dwayne Hall, CEO of startup Opaque Communications, said his company is working with government security agencies on a way of preventing some people downloading its technologies for secure and untraceable messaging. "If they are on any watch lists then they could be blocked from downloading our software," Hall said.

Andy Grolnick from LogRhythm, a start-up that analyzes data to spot security risks from within, said that companies cannot rely on perimeter defenses and that spotting criminal behavior relies on being able to normalize massive amounts of machine data.

Foremski's Take: Is enterprise security achievable? I could buy everything at the annual RSA Data Security show and still not feel secure. There are countless new exploits being discovered daily, which means they could have been exploited for a long time before.

Add the fact that large enterprises don't know the location of all their sensitive data and therefore can't protect it or even know if it has been breached. Cybersecurity is a mess.

Buying things online used to be a one-click process but that was many years ago. Additional security checks of different types make buying things online a chore and certainly not the frictionless experience we were promised.

Anything that disrupts the consumer experience is ultimately a danger to the entire economy. Ray Rothrock at RedSeal is right: we have to get ahead of the problem.

Editorial standards