If you're spending the majority of your security budget to secure your network and not your apps, you may be exposing your business to undue risk. More companies spend based on “traditional investments” rather than shifting as risks shift—so while existing spending with known vendors gets easily approved, there’s the potential for underinvestment in evolving risk areas that are harder to quantify and sell to management. Security is about defining acceptable levels of risk to your business so you’re able to justify spending accordingly.
Are you allocating your IT security dollars wisely?
If you focus the majority of your security spending on your network perimeter at the expense of app security and identity management, you may not have the proportions right.
More than half of enterprises’ IT budgets spend 1 percent or less on app security.
Nearly 25 percent of companies point to applications as the source of breaches, yet more than half of enterprises (51 percent) either spend 1 percent or less of their IT budgets on app security or they don’t know how much they spend. Almost three-quarters (74.5 percent) of companies admit their app security programs are not mature.
Then there’s the issue of user identities. Depending on whom you talk to, compromised identities are either the number one or number two cause of breaches.
In the face of these statistics, it is difficult to believe, but most companies still invest the majority of their IT security dollars in network perimeter protections. If yours is one of those companies, you should be seriously concerned.
Your ‘network perimeter’ may be largely imaginary
Because of the rise in mobile devices and the proliferation of cloud-based apps, your perimeter is likely quite porous. You now have hundreds, perhaps even thousands, of vulnerable users located all over the world, accessing your data using a broad range of apps on mostly unprotected devices. How prevalent are cloud-based apps? Four out of five organizations host applications in the cloud, and 20 percent plan on delivering more than half of their applications from the cloud this year. By 2018, there will be more than 12 billion mobile devices in use around the world. With your apps living anywhere and your users connecting from any device, your traditional perimeter has just exploded.
Then there’s the fact that identity and access management is becoming more complex. Whether your apps live on-premises, in your private or public cloud, or are Software as a Service (SaaS), they all require authentication. The average enterprise has 700 apps in use. And that’s official. Your users have password fatigue, and IT is struggling to manage the identity sprawl and access.
The fact is, if cyber criminals find themselves blocked at your network, they’ll simply phish a gullible user or infiltrate a vulnerable web app. The whole nature of security has changed.
Four steps to refocus your IT security spend
What can you do? Take these four sequential steps.
Step 1. Prioritize what you need to protect
Apps officially developed or deployed by IT are relatively easy to vet, but be sure to check out SaaS apps that are often overlooked. Then, identify all the shadow IT apps that are being used by your employees and assess their risk to your organization. These won’t be easy to find. You can interview your business units, review the logs of your web filtering software, and review legal contracts signed with SaaS providers, but it’s a very manual process. Still, you should prioritize whatever apps you can identify and secure those that make you most vulnerable.
Step 2. Check out alignment between budget and threats
What are you spending your IT security dollars on? Your company may be one of the businesses headed in the right direction, but if you find that your senior management is so focused on compliance that it is missing the most critical vulnerabilities associated with applications and identity sprawl, start building your case. Document your findings so you’ll be able to identify areas of under- or over-spending.
Step 3. Communicate your discoveries
Let senior management and your board know your findings. Explain to them the gaps that exist between what they are spending their money on and what else needs to be protected. Make specific recommendations and be prepared to present a cost-benefit analysis of recommended investments to get the dollars you need. You will likely need to invest in identity and access management, application security management, and advanced firewall solutions.
Step 4. Implement controls, and show how you are managing threats
Document and track how you are spending the extra monies you get, and give fact-based reports to the board and senior management on how well it’s working. There is still the chance that you will get breached, so purchase cyber insurance and put an incidence response (IR) company on retainer to leap into action and reduce your damage should a breach occur.
Pick your battles
Of course, you’ll never be able to address each and every vulnerability on your list. You may decide that the cost to eliminate some risks is greater than the cost of living with them. Communicate your thoughts to senior leaders, and clearly lay out your plans for dealing with all risks—whether you choose to mitigate them or not. Let them share responsibility for prioritizing how the money is spent in this new perimeter-less world.
Alice LaPlante is an award-winning and best-selling American author of numerous books, including A Circle of Wives and The New York Times bestseller Turn of Mind, which was the winner of the Wellcome Trust’s Book Prize and a B&N Discover Award finalist. She was a Wallace Stegner Fellow and a Jones Lecturer at Stanford University, and taught creative writing at both Stanford and San Francisco State University. She has written for Forbes ASAP, BusinessWeek, ComputerWorld, InformationWeek, and Discover. Her corporate clients include some of the best-known brands in the technology industry, including IBM, Microsoft, Oracle, Symantec, Deloitte, and HP.