Do Dangerous Gaps Exist in Your Cybersecurity Investments?

Do Dangerous Gaps Exist in Your Cybersecurity Investments?

By Dwight Davis

Are there any companies today that don’t take cyberthreats seriously? Maybe a handful, but they are outliers in a world in which cybersecurity has become a top priority for most businesses.

That said, simply directing attention and investments toward cybersecurity initiatives isn’t enough. You have to be smart about how you invest to see to it that there aren’t gaps in your defenses that make your company vulnerable to attack.

At a high level, at least, there are positive indications that companies are doing things right. For example, the IDG  2017 State of the CIO survey, which polled nearly 650 heads of IT found:

  • Upgrading IT and data security was one of the IT leaders’ top three goals, garnering the same percentage of mentions as two other priorities – helping reach revenue targets and simplifying IT.
  • More than half (51 percent) of the respondents said their IT strategy is tightly integrated with their overall IT strategy and roadmaps, up from just 37 percent saying the same a year earlier.
  • On average, IT security investments represented 12 percent of the total IT budget.

Given the wide range of IT agenda items, ranging from big data analytics to cloud computing to just “keeping the lights on,” the 12 percent of budgets going to cybersecurity represents a significant slice of the pie. As important as that macro investment amount, however, is the granular way in which the money is distributed.

There are several broad categories of cybersecurity investment, and companies can’t afford to underfund any of them. Those categories include cybersecurity technologies and controls; security staffing; employee education, training, and testing; and – of increasing importance – cybersecurity insurance.

Some companies have chosen to focus on technology investments. There is some justification for emphasizing this category of investment – which, broadly defined, can involve both the purchase and deployment of technology solutions on-premises as well as subscribing to managed and cloud-based security services. With the volume and diversity of cyberattacks constantly escalating, companies can’t hope to defend against them without the aid of sophisticated – and automated – threat identification and response systems.

Advanced technological defenses can also help fill in gaps that often exist in one of the other investment categories – security staffing. Finding and hiring needed security personnel is quite challenging nowadays, so companies may sometimes be forced to rely on technology rather than people. Even so, it would be foolish to proactively scale back security hiring in the belief that technology advances have made security expertise superfluous.

Historically, many companies have underfunded employee awareness education and training, but that tide largely turned as it became clear that employees with poor security practices were the source of many cyberbreaches. Even so, far too many companies still fail to educate their entire employee base, or to test employee awareness and practices on an ongoing basis.

Cybersecurity insurance is a relative newcomer to the security budget mix. Companies have learned that – no matter their defenses – they face high odds of becoming cyberattack victims at some point. Given this awareness, insurance policies are almost certain to capture a growing percentage of the overall cybersecurity budget. However, insurance should be treated as a complement to strong security technology, staffing and education, not as an alternative to them.

When making your cybersecurity investments, it’s critical that you direct the funds in a balanced way that addresses all of these security areas. Each one plays a critical role in building comprehensive defenses, and underfunding any of them could prove to be an extremely dangerous and costly error.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Be one of the first to receive the latest AT&T Cybersecurity Insights report, Mind the Gap: Cybersecurity’s Big Disconnect. You’ll learn more about minimizing gaps in your cybersecurity strategy and how to defend against the growing cyberthreats. Sign up today!

Copyright © 2017 IDG Communications, Inc.