Risk
4/27/2009
11:34 AM
Connect Directly
RSS
E-Mail
50%
50%

The High Cost Of Not Spending On Security

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.Money is tight right now. That's not news, but what that means for your business can't be distilled to a sound bite and generalized across an industry demographic. You're making choices to cut business hours, eliminate the jobs of people you hired and have worked with for years (some of them might even be relatives), slash marketing programs, not invest in new equipment, and the list goes on. When those choices are yours, they defy mass statistics. And until this recession starts to wane (and really wane, not just spew conflicting hints about a recovery that create more confusion and fear), these hard choices you must make as a business owner won't get any easier.

After you've trimmed the fat and then cut muscle down to bone, it's tempting to start looking at ways to trim core infrastructure. IT is always a target for cost reduction, but one area where you should be very cautious about cutting spending is security. If you don't increase the number of servers or invest in that CRM tool, it may well crimp your business growth, but in and of itself, it probably won't put you out of business. By contrast, a security breach can kill your business -- and that's even more true right now when margins have moved beyond thin to nonexistent. Do you have the cash reserves to fight a lawsuit over hacked customer data, to have your sales pipeline filched, to butt heads with regulators, or any of myriad other security disasters waiting to happen?

Yet, security still gets the axe. According to a (ICS)2 survey released at the RSA Conference, more than 70% of information security professionals saw their budgets reduced in the last six months. That's sobering, if you figure that many of the 1,500 survey respondents worked in large enterprises, it's reasonable to assume there was some redundancy and excess to be trimmed; small and midsize companies rarely have that luxury in the IT department or elsewhere. But the follow-up question about budgets is also telling: 55% said they expected no further cuts this year. As for the 225 respondents who, we infer, anticipate further budget cuts, they may have more fat to trim or just figure a security breach won't happen to them. However, these results indicate a slight majority have drawn a line in the sand.

When you slash your security budget, you're pinning your hopes on the unrealistic belief that it won't happen to you. Witness another survey of CIOs (the folks charged with seeing the big picture) where the runaway spending priority for the coming year was security. The Robert Half Technology survey found that 43% of CIOs tapped information security as the number one spending priority. The distant second was virtualization at 28%.

Two surveys, one showing security budgets cuts and another indicating security investment. Ah, the conflict., So where do small and midsize businesses fall in this mix?

According to yet another survey, almost half (42%) of SMBs are holding steady on IT spending and a fifth (20%) plan to increase it. The findings of the Compass Intelligence SMB Online Experience research don't break out security spending independently, but it's not unreasonable to infer that if all IT spending holds even or increases, security spending will too.

And just as this mish mash of numbers and surveys isn't clean and neat, neither is securing your business. Spending alone won't save you, but smart spending may. Now's a time to review your security budget, but not with a blunt cutting instrument, but rather to identify ways you maintain or even boost your safeguards without spending big. This Wednesday, we'll be digging into exactly that issue at bMighty's virtual event: bMighty bSecure: SMB Security On A Budget. We've assembled a host of experts, analysts, and small and midsize business people to share their insights and experiences (and take your questions) about issues ranging from security budgeting to the most pressing internal and external security threats to disaster recovery, security appliances, and more -- all with an eye toward pragmatic, achievable outcomes that account for today's budget realities. Check out the full event agenda here.

Unlike many other IT investments, security has an inverted ROI equation -- the result you hope for is that NOTHING will happen. And the only indicator you'll have of whether you've spent enough is a security breach and then it's too late.

bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank.
REGISTER NOW!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.