Information security spending has been growing steadily and is an investment priority for many businesses which are fearful of data breach incidents. In fact, the current global information security spending is $77 billion per year and can reach as high as $100 billion in 2018, and $170 billion in 2020 according to Gartner.
Assuming that companies are willing to spend as much as necessary on information security, the security strategies are sometimes reactive and misguided in order to achieve the stated security objectives and risk management goals efficiently. Most often, the bulk of security spending is for network perimeter security and breach prevention solutions. This is fine if the company has assessed that its network penetration risk is high and can lead to serious consequences. However, if the objective of information security is data protection, some company strategies must be revised in order to reach the stated objectives more efficiently. Although management intentions in some companies for securing company systems and data are good, their strategies are often limited and inefficient.
For most companies which have critical data, information security is about data protection. But information security has failed many times to prevent data breaches despite the increased spending because we fail to focus on data. As we accept the reality of data breach incidents, companies need to become resilient to breach incidents.
According to a recent poll by Identity Management Institute, 30% of info security spending is for intrusion prevention followed by 28% for resources and training, 24% for breach detection, and 19% for breach response. Proposed spending amounts are often indicators of where company management believes the security risks reside. The results of this poll also teach us that security spending priorities do not adequately address breach detection and response which is the point I'm trying to make. In other words, if the information security objective is data protection, focus must strategically shift away from intrusion prevention to rapid intrusion and malware detection, and, adequate and timely response to detected intrusion whether it's malware disablement, impact assessment, or communication.
Let's be clear that network perimeter security is important similar to when we would lock our home front doors to prevent strangers from entering, but we also have to think about securing our precious valuables in case someone forgets to lock the doors, loses the keys, gives away the keys, or if someone finds a way to unlock the doors. Employees and more importantly those with privileged access often facilitate network intrusions because they fail to follow or implement the policies and standards. If our focus is on the end result or Return on Investment (ROI) of information security spending which may be data protection, thieves will not benefit much by breaking into our computer networks unless they just want to embarrass the company.
In order to be smart about information security spending and reach our security goals as effectively and efficiently as possible, the questions that we have to ask ourselves are why do we spend billions a year for security, do we have a defined objective, and how do our security expenditures help us reach our stated objective with every dollar that we spend. If our security goal is data protection, we have to be resilient to data breach incidents and make sure the compromised data is unusable when breach incidents occur, and, be prepared to respond. This can be achieved with smart data encryption which means that we encrypt the most important data fields to secure data at all times while maintaining low cost and effective operation. The next question you might ask now, is what constitutes an important data? This is rather a personal question for each company to answer during its info security risk assessment and strategic planning phases.
Also, let's not forget that effective data protection is more than IT security and requires business support, awareness and education, vendor management, and policy or regulatory compliance.