Reallocating your security budget

The security industry is exploding with employment opportunities, products and startups, yet we continue to hear of data hacks and breaches affecting organizations on a regular basis. Companies now need to know how to efficiently respond to a cyber attack, as well as manage the aftermath.

Last year, businesses were spending almost $400 per employee on security efforts, and a new study for 2015 found that 75% of CIOs plan to invest even more in cybersecurity this year as it is a top concern. Although this increase in spending and attention on cyber attack prevention is a step in the right direction, many companies are spending their resources without really understanding the best practices and tools to prevent breaches within their company.

Where are your cybersecurity resources going?

In a recent interview with Information Week’s Dark Reading, Jason Straight, senior vice president and chief privacy officer at UnitedLex, which provides outsourcing services and support for the legal industry, spoke on what organizations are doing wrong:

“Misallocation of security resources: we continue to be more focused on perimeter protection than on internal controls and monitoring. It’s clear that attackers are already inside or could be anytime they want and there’s nothing you can do about it on the perimeter. We continue to dump money in there, which is exactly what the security industry wants you to do. There’s a ton of money in selling all these tools. The big reason people are not focused as much internally is that it’s hard.”

Focusing on interior vs. perimeter

Surveys of companies found that many already had cyber security software lying around but unused. It was found that 4.8% of security software was not being used at all, and almost 24% was working but could be better. Now let’s show these statistics with dollar signs: for every $115 spent on security software, $33 were either underutilized or never used at all. In a company of 500 employees, $16,000 worth of investments is being wasted.

The most common response for wasted security tools was a shortage of IT resources, including lack of time to implement tools, not enough training and too few team members.

• 35% said IT was too busy to implement security tools
• 33% said their IT teams did not have enough staff
• 19% said they lacked knowledge of purchased security software
• 17% said they lacked training to employ new software

While it is smart to be purchasing cyber security systems for an organization, businesses should set realistic expectations for IT staff resources, and budget the department accordingly to minimize the problems of underutilized security programs. There should be a fine balance of time and finances that are spent on both perimeter security tools and the interior department that will implement these tools. Management should not only be allotting a budget for higher skilled security talent, but also for in-person security training and cyber security education across the organization. While it may seem smart to save money by hiring cheaper security employees or eliminating training, in the long run this increases the risks of your organization experiencing a data breach.