February 19, 2015

Information Security Program: Does the Budget Match the Risks?

Security budget stats are confusing. While the frequency and cost of data security incidents are up, some research shows information security program spending is down.

According to PwC’s Global State of Information Security Survey 2015, the reported number of security incidents in 2014 rose 48% to 42.8 million. At the same time, it showed global security budgets fell by 4% compared to 2013.

Interestingly, IT research firm Gartner Inc. said that security spending in 2014 would increase almost 8% compared to the previous year, to $71.1 billion. Furthermore, the Gartner forecast showed that total information security spending will grow another 8.2% in 2015 – and reach $76.9 billion.

How come these numbers don’t add up?

Rob Cotton, who heads up a security consultant company called NCC Group, may have the answer. In an online article, he says security spending has become entwined in many areas of business.

“Traditional information security and risk management are only a few areas of security,” he said. “It has become more pervasive and is now embedded within numerous business functions, processes and operations... meaning spending is often taken from multiple budgets in a de-centralized fashion without being itemized as cyber security.”

Here are key areas in any workplace where security budget allocations are needed:

  • Risk analysis. Do regular risk analysis to identify where confidential information resides, as well as weak policies and procedures that may increase the risk of a breach.
  • Technology. There’s no question that intrusion prevention and detection tools, privileged user access, vulnerability scanning, and other data loss software are important. In a recent Ponemon study, 67% of respondents said their organizations made sure that based on IT risk assessment, IT has the budget necessary to defend against attacks.
  • Training. A lot of organizations do not hold training sessions for their employees, according to Shred-it’s 2014 State of the Industry Information Security. But regular formal training and a culture of security from the top down supports employee knowledge and commitment to information security.
  • Insider Threat Reduction. Recent research by Ponemon showed that most companies expect the risk of privileged user abuse to continue or get worse. It also showed that 51% allocate between 5 and 8% of their overall IT budget to insider threat technology. But it’s also clear that workplace policies such as an anonymous tip line, locked consoles for discarded documents, and a Shred-all policy (so that all documents are destroyed) protect confidential information from insider fraudsters too.
  • Supply chain. Third parties must be security and privacy minded too. For example, a document destruction partner should provide a secure chain of custody from the time paper is collected in locked consoles in the workplace to removal and secure on- or off-site shredding.
  • Aggressive mobile policy. Whether the company supplies mobile devices or there is a BYOD policy, keep in mind that the mobile workforce has been identified as a huge risk to information security. Create a mobile IT risk assessment strategy with defined email security, authentication to gain access, and encryption software. Teaching security-minded work habits – so devices are never left anywhere and lost – is important too.

Take this free security risk assessment to determine significant breach risks in your information security program.