Risk
4/27/2009
11:34 AM
Connect Directly
RSS
E-Mail
50%
50%

The High Cost Of Not Spending On Security

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.Money is tight right now. That's not news, but what that means for your business can't be distilled to a sound bite and generalized across an industry demographic. You're making choices to cut business hours, eliminate the jobs of people you hired and have worked with for years (some of them might even be relatives), slash marketing programs, not invest in new equipment, and the list goes on. When those choices are yours, they defy mass statistics. And until this recession starts to wane (and really wane, not just spew conflicting hints about a recovery that create more confusion and fear), these hard choices you must make as a business owner won't get any easier.

After you've trimmed the fat and then cut muscle down to bone, it's tempting to start looking at ways to trim core infrastructure. IT is always a target for cost reduction, but one area where you should be very cautious about cutting spending is security. If you don't increase the number of servers or invest in that CRM tool, it may well crimp your business growth, but in and of itself, it probably won't put you out of business. By contrast, a security breach can kill your business -- and that's even more true right now when margins have moved beyond thin to nonexistent. Do you have the cash reserves to fight a lawsuit over hacked customer data, to have your sales pipeline filched, to butt heads with regulators, or any of myriad other security disasters waiting to happen?

Yet, security still gets the axe. According to a (ICS)2 survey released at the RSA Conference, more than 70% of information security professionals saw their budgets reduced in the last six months. That's sobering, if you figure that many of the 1,500 survey respondents worked in large enterprises, it's reasonable to assume there was some redundancy and excess to be trimmed; small and midsize companies rarely have that luxury in the IT department or elsewhere. But the follow-up question about budgets is also telling: 55% said they expected no further cuts this year. As for the 225 respondents who, we infer, anticipate further budget cuts, they may have more fat to trim or just figure a security breach won't happen to them. However, these results indicate a slight majority have drawn a line in the sand.

When you slash your security budget, you're pinning your hopes on the unrealistic belief that it won't happen to you. Witness another survey of CIOs (the folks charged with seeing the big picture) where the runaway spending priority for the coming year was security. The Robert Half Technology survey found that 43% of CIOs tapped information security as the number one spending priority. The distant second was virtualization at 28%.

Two surveys, one showing security budgets cuts and another indicating security investment. Ah, the conflict., So where do small and midsize businesses fall in this mix?

According to yet another survey, almost half (42%) of SMBs are holding steady on IT spending and a fifth (20%) plan to increase it. The findings of the Compass Intelligence SMB Online Experience research don't break out security spending independently, but it's not unreasonable to infer that if all IT spending holds even or increases, security spending will too.

And just as this mish mash of numbers and surveys isn't clean and neat, neither is securing your business. Spending alone won't save you, but smart spending may. Now's a time to review your security budget, but not with a blunt cutting instrument, but rather to identify ways you maintain or even boost your safeguards without spending big. This Wednesday, we'll be digging into exactly that issue at bMighty's virtual event: bMighty bSecure: SMB Security On A Budget. We've assembled a host of experts, analysts, and small and midsize business people to share their insights and experiences (and take your questions) about issues ranging from security budgeting to the most pressing internal and external security threats to disaster recovery, security appliances, and more -- all with an eye toward pragmatic, achievable outcomes that account for today's budget realities. Check out the full event agenda here.

Unlike many other IT investments, security has an inverted ROI equation -- the result you hope for is that NOTHING will happen. And the only indicator you'll have of whether you've spent enough is a security breach and then it's too late.

bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank.
REGISTER NOW!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.