Though the final tally is not yet in, it's a safe bet that security spending saw healthy growth in 2014. Gartner in August predicted that global spending on information security would hit $71.1 billion this year, an increase of 7.9 percent over 2013. The firm is predicting a similar jump in 2015.
While organizations are spending more on securing their information assets, are they spending wisely?
Unfortunately, no amount of money can completely protect your organization, said Karl Volkman, chief technology officer at Chicago-based IT services firm SRV Network. "People often look at technology as something that can be perfectly controlled, but it is not. There will never be a big enough security budget to remove all risk," he said.
Follow the Risk
It's best to focus on areas that present the biggest risks, Volkman said, suggesting that organizations should perform a risk/cost analysis and work with their legal and insurance teams to better determine the possible costs of a data breach. "You want to look at all of your data and ask what happens if it falls into the wrong hands. Does it close your doors? How much will you have to spend to make it right with your customers and your business partners?"
Once you have identified especially sensitive data, Volkman said, it's a good idea to limit the number of locations where such data resides. "You need to look at the surface area, determine how many employees can get to the information or how many websites offer access to it. If you can limit the surface area as much as possible, that makes it easier to manage," he said.
Centralizing and consolidating data whenever possible also makes it easier to help determine the costs to secure it, he said.
A commonly overlooked area of security spending is creating a disaster plan, Volkman said. Businesses should come up with plans for different security situations, much as they do for situations such as a server going offline for a protracted period. "You want to determine how you will devote the time and money to dealing with it, so when it does happen – and it will – you can act quickly and limit your exposure and potential loss," he said.
Traditional approaches to security are no longer effective, said Jerry Irvine, CIO of IT services firm Prescient Solutions and a member of the National Cyber Security Task Force.
"Securing the perimeter and trying to keep people out is just impossible today," he said. "You must look at security as an entire program and have security policies as opposed to simply buying security tools. You still need the legacy tools like firewall and antivirus, but now you must have application security and data security technologies in place above and beyond those traditional tools."
The first step to smarter security spending, Irvine said, is assessing your current environment. "You need to look at what you are doing now, what you need to do differently and what you can automate so you can lower costs in the long run."
Vendors and other partners can be a valuable resource when it comes to such assessments, said Rashesh Jethi, director, supporting Cisco Business Services in the areas of security, collaboration and mobility.
"Some of our more forward-looking customers are going at it that way," he said. "Instead of just saying 'help us design our firewall strategy for the next three years,' they ask us to help them create a threat profile. Sometimes they even ask us to break into their network and tell them how hard it was," Jethi said.
It is helpful to "take a step back and identify the risks," he said, noting that working with an external firm can give an internal security team a new perspective. "If you are in a corporate security department, you will know a lot about your infrastructure but you do not necessarily have the same breadth of experience as to what is going on outside. Working with a partner can help bring you up to speed on the latest threats and technology."
Security assessments can help organizations identify areas that would benefit from consolidation, Jethi said, noting that Cisco surveys sometimes indicate customers have more than 60 different security products in their data centers.
Organizations often buy point solutions to deal with specific security problems or vulnerabilities and end up spending a lot of money maintaining this piecemeal infrastructure. Reducing the number of providers and taking a more standardized approach can help cut costs. "We have seen organizations doing this to optimize their network processes, but we haven't seen that happening much in security yet," Jethi said.
Organizations can no longer treat security spending as a line item, Irvine said. Instead, it must be included as a key component of technology projects throughout the organization. Doing so will yield savings, he said.
"If you do nothing but throw security on at the end, you will spend a lot more money and get a lot less security, whereas if it is built into products from the beginning, you can build automated reoccurring processes and other things that will save you money in the long run and help you avoid costs of remediation and loss," Irvine said.
To help determine the appropriate levels of security spending, Irvine suggested talking to peers in the same vertical industry and consulting frameworks like the National Institute of Standards and Technology Cybersecurity Framework and the ISO 2700 to 27002 frameworks. Share these frameworks and industry-specific requirements like HIPAA with senior-level executives to get budgetary buy-in, he advised. "Take them industry best practices and regulatory requirements so they better understand what you have to do."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.