Risk
4/27/2009
11:34 AM
Connect Directly
RSS
E-Mail
50%
50%

The High Cost Of Not Spending On Security

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.Money is tight right now. That's not news, but what that means for your business can't be distilled to a sound bite and generalized across an industry demographic. You're making choices to cut business hours, eliminate the jobs of people you hired and have worked with for years (some of them might even be relatives), slash marketing programs, not invest in new equipment, and the list goes on. When those choices are yours, they defy mass statistics. And until this recession starts to wane (and really wane, not just spew conflicting hints about a recovery that create more confusion and fear), these hard choices you must make as a business owner won't get any easier.

After you've trimmed the fat and then cut muscle down to bone, it's tempting to start looking at ways to trim core infrastructure. IT is always a target for cost reduction, but one area where you should be very cautious about cutting spending is security. If you don't increase the number of servers or invest in that CRM tool, it may well crimp your business growth, but in and of itself, it probably won't put you out of business. By contrast, a security breach can kill your business -- and that's even more true right now when margins have moved beyond thin to nonexistent. Do you have the cash reserves to fight a lawsuit over hacked customer data, to have your sales pipeline filched, to butt heads with regulators, or any of myriad other security disasters waiting to happen?

Yet, security still gets the axe. According to a (ICS)2 survey released at the RSA Conference, more than 70% of information security professionals saw their budgets reduced in the last six months. That's sobering, if you figure that many of the 1,500 survey respondents worked in large enterprises, it's reasonable to assume there was some redundancy and excess to be trimmed; small and midsize companies rarely have that luxury in the IT department or elsewhere. But the follow-up question about budgets is also telling: 55% said they expected no further cuts this year. As for the 225 respondents who, we infer, anticipate further budget cuts, they may have more fat to trim or just figure a security breach won't happen to them. However, these results indicate a slight majority have drawn a line in the sand.

When you slash your security budget, you're pinning your hopes on the unrealistic belief that it won't happen to you. Witness another survey of CIOs (the folks charged with seeing the big picture) where the runaway spending priority for the coming year was security. The Robert Half Technology survey found that 43% of CIOs tapped information security as the number one spending priority. The distant second was virtualization at 28%.

Two surveys, one showing security budgets cuts and another indicating security investment. Ah, the conflict., So where do small and midsize businesses fall in this mix?

According to yet another survey, almost half (42%) of SMBs are holding steady on IT spending and a fifth (20%) plan to increase it. The findings of the Compass Intelligence SMB Online Experience research don't break out security spending independently, but it's not unreasonable to infer that if all IT spending holds even or increases, security spending will too.

And just as this mish mash of numbers and surveys isn't clean and neat, neither is securing your business. Spending alone won't save you, but smart spending may. Now's a time to review your security budget, but not with a blunt cutting instrument, but rather to identify ways you maintain or even boost your safeguards without spending big. This Wednesday, we'll be digging into exactly that issue at bMighty's virtual event: bMighty bSecure: SMB Security On A Budget. We've assembled a host of experts, analysts, and small and midsize business people to share their insights and experiences (and take your questions) about issues ranging from security budgeting to the most pressing internal and external security threats to disaster recovery, security appliances, and more -- all with an eye toward pragmatic, achievable outcomes that account for today's budget realities. Check out the full event agenda here.

Unlike many other IT investments, security has an inverted ROI equation -- the result you hope for is that NOTHING will happen. And the only indicator you'll have of whether you've spent enough is a security breach and then it's too late.

bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank.
REGISTER NOW!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.