Post Breach: Prioritizing Cyber SpendingHow to Avoid Wasteful Security Investments
JPMorgan Chase CEO Jamie Dimon recently stated that he expects the bank's annual IT security budget to double from $250 million to $500 million over the next five years in the wake of its massive data breach, which impacted 76 million households and 7 million small businesses (see: Chase's Cybersecurity Budget to Double).
But will that prove to be money well spent?
Any organization that's experienced a data breach must avoid simply throwing more money into cybersecurity without first carefully analyzing where the investments are most needed, security experts stress.
Before allocating funding for cybersecurity initiatives, organizations should conduct risk assessments to pinpoint security gaps. Potential spending priorities in the current environment, experts say, include ramping up breach detection measures, improving employee security awareness and training and taking steps to devalue sensitive data, such as through encryption.
Increased spending could prove wasteful if an organization doesn't conduct a thorough risk assessment to pinpoint the security gaps within a security program, stresses fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation.
"Without a thorough risk assessment and a well-formulated strategy, any amount of money spent will be a shotgun approach at best," he says. "It's important to get to your security budget methodically, and not miss any of the steps."
For instance, a $500 million security budget could be used to great effect, "or a lot of it could be wasted," Wills says. "Unfortunately, in real-life enterprise environments, it's more often the latter that happens."
A common example of ineffective security spending is to buy expensive technology but fail to extract the full value from it, Wills says. For instance, an organization could set up a state-of-the-art security operations center, he explains. "But if you don't hire and train a competent team to configure and operate those systems properly, and set up a process to analyze and take appropriate action on the vast amounts of data that they produce, you're probably best off not spending the money in the first place."
Security consultant Neira Jones says that before upping the amount of money that goes into cybersecurity, organizations should identify gaps that could be addressed with existing funds.
"It's perhaps not a question of increasing budgets, but more of spending money in the right places," Jones stresses. "And more investment in awareness and incident response would certainly not go amiss."
Organizations need to invest in security awareness for staff and managers "to create a hyper-vigilant state within the organization so that activities that are suspicious don't get ignored," adds Avivah Litan, an analyst at the consultancy Gartner.
As cyberthreats evolve and breaches against organizations continue to increase, it's important for organizations to know that, even with the best security products and programs, there's still a good chance they'll be breached, Wills says. That's why investments in breach detection are so important
"The challenge then becomes [having] the ability to detect and respond to a breach as fast as possible in order to minimize the damage," Wills says.
And a recent breach affecting a White House unclassified network illustrates that even some of the nation's most powerful organizations have a long way to go when it comes to detection. The White House reportedly wasn't aware of the breach until it was notified by an ally.
Organizations should consider investments in threat intelligence tools, data analytics and advanced incident response techniques, Wills says. "Prevention by itself isn't enough, and as the speed and complexity of threat delivery increases, effective detection and response start to carry more weight."
He adds, however, that investments in such breach prevention technologies as firewalls and anti-malware "are still absolutely essential."
Organizations also should take multiple steps to devalue sensitive data, says Julie Conroy, an analyst at the consultancy Aite Group. "[Organizations] increasingly need to devalue [information] at rest through encryption and tokenization, to ensure that when the criminals do break through, there's nothing of value to steal," she says.
Another area that could prove useful in mitigating the impact of breaches is to change the layout of an organization's IT environment as often as possible, says Litan, the Gartner analyst. "Once the criminals and hackers find the important material, if you keep moving things around, they won't be able to eventually steal it because they don't know how things are laid out," she says.
In addition, organizations need to implement continual screening of employees and contractors who have access to sensitive assets and information to monitor for suspicious activity, Litan says. "People who have really high-privileged access should be screened more than those who don't," she says.
Security on Tight Budgets
Few organizations can afford huge security budgets along the lines of what JPMorgan Chase plans to spend. That's why smaller organizations should consider outsourcing some aspects of their security management to specialists, Wills says.
Smaller organizations should also consider using open-source technology and managed services to reduce out-of-pocket costs, he adds. "The product selection in these areas is getting better all the time."