Gartner: Additional Security Does Not Mean Additional Money

IT managers trying to figure out how much money to budget for information security purposes each year might want to take note of some recent advice from Gartner Inc.: According to the Stamford, Conn.-based analyst firm, despite the growth in targeted attacks and the continuing discovery of new vulnerabilities, almost 90 percent of the threats companies face today can be handled without any extra investment in security.

Instead, companies need to reduce some of the money they’ve spent over the past few years protecting against mass attacks — redirecting those freed-up resources to confront more narrowly directed emerging threats.

A lot of companies spend too much money on security controls such as firewalls, anti-virus software and other desktop protection tools designed to defend against traditional mass attacks, said John Pescatore, a Gartner analyst.

According to Pescatore, over the years such products have become highly commoditized and can be deployed for far less than many companies currently shell out for such protection.

“A lot of it is just inertia,” he said. For instance, companies that signed up with one vendor years ago simply continue to do business with that vendor without exploring any of the cheaper and equally functional options available for desktop protection. Those who might be inclined to make the switch to cheaper technologies often mistakenly assume that such migrations are either prohibitively expensive or too complex.

The same is true for the multitude of remote access technologies that companies continue to support with very little reason to do so.

According to Pescatore, such inefficiencies have resulted in average organizations spending more than 5 percent of their IT security budget on security, and close to 12 percent if disaster recovery is included. However, he said, Gartner has seen little evidence to suggest that the more you spend on security the better your security gets. In fact, companies with really mature security practices rarely average more than 4 percent of their total IT budget on security.

“Security strategies must reduce the cost of dealing with mass attacks to free up investment and personnel resources” for dealing with today’s more complex targeted attacks, Pescatore said.

“Being aware of ’inside out’ communications and being able to block those as effectively as ’outside in’ is becoming increasingly important.”

Such planning is important at a time when the costs associated with security breaches are going up sharply. Over the next two years in fact, companies can expect breach-related costs to increase on average by 20 percent each year compared to today, according to Gartner.

That increase, said Pescatore, is fueled by several factors. Increasingly, companies that suffer data breaches are getting sued by victims as well as by other affected parties. Though such suits have gone nowhere so far, companies can expect such costs to become a major factor when calculating data breach costs, he said. Pescatore also points to increased pressure from state lawmakers looking to hold companies fiscally responsible for the costs associated with data breaches.

By Jaikumar Vijayan, Computerworld (US online)