If you were to ask IT pros what causes them the most stress in their jobs, many would likely say cybersecurity. According to a 451 Research Digital Pulse survey of IT generalists, 36 percent pointed to information security as the topic that keeps them up at night.
"Threats continue to multiply and expand; breaches seem to be getting worse, in terms of scale, depth and sophistication," said Steve Wilson, vice president and principal analyst at Constellation Research. "Data is the lifeblood of the new digital economy, and the sophistication of criminals seeking to exploit that is growing all the time."
According to a July report from Neustar, IT security professionals are twice as concerned about data breaches and cyberattacks as they were last year. And that concern is impacting the budget process, as 17 percent of the respondents to 451 Research's survey cited information security as the largest budgetary increase area in 2018.
Still, understanding that cybersecurity is critically important is one thing; understanding how it should impact your 2019 IT budget planning is something else entirely.
Budgeting is (obviously) all about the money, so let's start there. As Gartner vice president and distinguished analyst Paul Proctor, told ZDNet, the biggest mistake you can make when budgeting is to blindly throw more money at your security team and expect better results.
"I'm not a fan of what is the most common practice out there, which is to ask how much are others spending on cybersecurity," Proctor said. "That is not useful, because there are organizations that are spending a ton on cybersecurity and they have very bad risk postures, and there's others that aren't spending very much but they have very good risk postures. The bottom line is: It's about their level of readiness."
For Proctor, readiness is not about how much you spend on controls, but how good your controls are at defending your organization. The amount you're spending doesn't always correlate with your security maturity or readiness level, he said. Instead, leaders should be asking themselves if they have the level of readiness they want and, if not, whether they need to spend more to get there.
Value for money
Many CFOs don't look at readiness, Proctor said. They ask about industry benchmarks for spend, but neglect to ask about value for money. When it comes to security, "CFOs should always ask the question, 'what am I getting for the money I'm spending?'," Proctor said.
Once you understand that correlation between your readiness and what you're spending, you can begin to have deeper discussions around the price/performance ratio. This allows you to ask whether or not you can spend less with other tools or outsourcing and maintain the same level of maturity and security readiness, Proctor said.
Essentially, said Constellation Research's Wilson, it boils down to this: "What the IT function does with its cybersecurity resources is more important than how much they spend."
According to 451 Research's Kennedy, citing a study by Javvad Malik, security products are rarely retired. In fact, they're usually just added to and built upon, which can cause some problems around the build up of unnecessary shelfware. This also stems from products bought strictly for the sake of compliance that may not have been aligned to any business goals.
When pruning, Kennedy said, "look for products that you aren't getting current value from, and were implemented under murky circumstances or justifications -- an auditor who is no longer around insisted on it, a champion of that project or vendor has moved on, etcetera -- or where a different product you have in place is creating the same value."
However, he cautioned, security budgets seem to be increasing all around, and now might not be the best environment for cost-cutting in information security. Kennedy and his team are seeing predicted increased allocations toward cloud infrastructure security, managed services, user behavioral analytics, and orchestration/automation type solutions, he said.
Distinct line items such as security personnel, security training, threat monitoring, vulnerability assessment, security tools, security upgrades, and continuous improvement should exist, Wilson said, but they need to be factored into IT across the board.
"Cybersecurity should be thought of as a component of enterprise risk management -- though not necessarily run by enterprise risk -- and what follows from that thinking is that HR, finance, operations etcetera should all have some 'allowance' for security," Wilson said.
Beware of hype
Overall, when looking at a tool, it's important to gut-check the hype that surrounds it, Proctor said.
"Don't follow the snake oil," Proctor warned. "Yes, AI is going to be a big deal in security right now, but people are spray-painting the concept of machine learning and AI on every single thing they do."
IT needs to be very careful with its spend in areas like AI as they are developing. Look for what can add real value to your organization. The same thing could be said for IT when determining what threats it believes it should protect itself against. Despite how publicized ransomware has been the past couple years, Kennedy said that only about 13 percent of organizations represented by 451 Research's respondents had been victims of ransomware, and most of them just ended up reimaging the data from an available backup, he said. To put it simply, don't chase headlines as a strategy of figuring what threats are the most relevant to your organization.
And, if you have no idea where to start in terms of navigating the threats on the horizon, Gartner's Proctor offered a simple solution.
"If you don't know that answer for your organization, invest in threat intelligence, which will tell you what threats you should worry about," Proctor said.
Indeed, taking a risk-based approach to security postures and budgeting seems to be on the rise, according to Proctor. As such, that may be something that CFOs need to consider -- whether or not they want to shift to that security model and change their budget to accommodate it.