Dangerous gaps in cybersecurity investments
Businesses need a balanced plan that addresses all areas of security
Are there any companies today that don’t take cyberthreats seriously?
Maybe a handful, but they are outliers in a world in which cybersecurity has become a top priority for most businesses.
That said, simply directing attention and investments toward cybersecurity initiatives isn’t enough. You have to be smart about how you invest to see to it that there aren’t gaps in your defenses that make your company vulnerable to attack.
At a high level, at least, there are positive indications that companies are doing things right. For example, the IDG 2017 State of the CIO survey, which polled nearly 650 heads of IT found:
- Upgrading IT and data security was one of the IT leaders’ top three goals, garnering the same percentage of mentions as two other priorities – helping reach revenue targets and simplifying IT.
- More than half (51 percent) of the respondents said their IT strategy is tightly integrated with their overall IT strategy and roadmaps, up from just 37 percent saying the same a year earlier.
- On average, IT security investments represented 12 percent of the total IT budget.
Given the wide range of IT agenda items, ranging from big data analytics to cloud computing to just “keeping the lights on,” the 12 percent of budgets going to cybersecurity represents a significant slice of the pie. As important as that macro investment amount, however, is the granular way in which the money is distributed.
Areas of cybersecurity
There are several broad categories of cybersecurity investments, and companies can’t afford to underfund any of them. These areas include:
- cybersecurity technologies and controls
- security staffing
- employee education, training, and testing
- cybersecurity insurance
Some companies have chosen to focus on technology investments. There's some justification for emphasizing this category of investment – which, broadly defined, can involve both the purchase and deployment of technology solutions on-premises as well as subscribing to managed and cloud-based security services.
With the volume and diversity of cyberattacks constantly escalating, companies can’t hope to defend against them without the aid of sophisticated – and automated – threat identification and response systems.
Advanced technological defenses can also help fill in gaps that often exist in one of the other investment categories – security staffing.
Finding and hiring needed security personnel is quite challenging nowadays, so companies may sometimes be forced to rely on technology rather than people. Even so, it would be foolish to proactively scale back security hiring in the belief that technology advances have made security expertise superfluous.
Historically, many companies have underfunded employee awareness education and training, but that tide largely turned as it became clear that employees with poor security practices were the source of many cyberbreaches. Even so, far too many companies still fail to educate their entire employee base, or to test employee awareness and practices on an ongoing basis.
Cybersecurity insurance is a relative newcomer to the security budget mix. Companies have learned that – no matter their defenses – they face high odds of becoming cyberattack victims at some point. Given this awareness, insurance policies are almost certain to capture a growing percentage of the overall cybersecurity budget. However, insurance should be treated as a complement to strong security technology, staffing and education, not as an alternative to them.
When making your cybersecurity investments, it’s critical that you direct the funds in a balanced way that addresses all of these security areas. Each one plays a critical role in building comprehensive defenses, and underfunding any of them could prove to be an extremely dangerous and costly error.
AT&T Cybersecurity Insights report
Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."
In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.