How mid-to-large companies can optimize security budgets
By Dominic Vogel
Larger IT security departments often spend on solutions that they don't really need or don't address a business risk (and end up being a waste of money). It is certainly not unheard of for multiple security solutions to be thrown into the enterprise network infrastructure haphazardly and create security gaps instead of reducing risk. In order to be more efficient with your hard-earned budget dollars, your enterprise information security team needs to evolve from focusing primarily on operational security controls to more of a business-centric endeavour encompassing activities such as risk assessments, asset valuation, IT supply chain integrity, and process optimization. Several months ago, security vendor RSA released a report outlining how to transform IT security. The report, in describing how next-gen security teams should function, serves well as a guiding document for how to reposition your budget spend.
IT security team responsibilities
According to the report, the core information security team should be responsible for governing and coordinating the overall IT security effort and performing tasks requiring specialized security knowledge. The areas of that IT security should focus on should be: Redefining and strengthening IT security's core competencies (control design and assurance); delegate routine operations (allocate repeatable, well-established security processes); and to establish information risk consultancy (partner with the business in managing information risks and coordinate consistent enterprise risk management approach). By following such an approach, this ensures that security investments are effective and efficient in delivering sustainable information security that supports the business goals (translation: you aren't wasting money.)
According to RSA, the vast majority of enterprise security controls today are implemented for preventative purposes. RSA estimates that most organizations spend approximately 80 percent of their security budgets on preventative measures, with monitoring (detective) and remediation (response) forming the remaining 20 percent.
An expanding range of applications and business models, coupled with falling modem costs, are key factors driving the growth of connected devices. Added to this, new use cases are emerging for both short and long range applications, leading to even stronger growth of connected devices moving forward. Ericsson's forecast, outlined in the report, points to 26 billion connected devices by 2020, confirming we are well on the way to reaching the vision of 50 billion connected devices.
Each year until 2020, mobile video traffic will grow by a staggering 55 percent per year and will constitute around 60 percent of all mobile data traffic by the end of that period. Growth is largely driven by shifting user preferences towards video streaming services, and the increasing prevalence of video in online content including news, advertisements and social media.
Put resources where they matter
Most organizations have spent the past two decades focusing solely on firewall, anti-virus, encryption, and authentication measures to deliver an acceptable level of security, without sustained success. Preventive approaches alone do not inhibit the modern sophisticated, well-funded, persistent, and focused attackers. We are wasting budgets by continually pouring more and more resources into purely preventive controls. Organizations need to change their overall defensive approach given the security realities of today by increasing the funding and implementation of detection and response controls.
You should be spending on initiatives that best address resiliency and provide a balanced stable of preventative, detective, and responsive controls. In most organizations, security investments, covering people, processes, and technology, are out of balance. The best thing you can do for your security budget is to get those areas harmonized.