The Security Model is Broken, Part 4: Cybersecurity Spending

Many indicators, such as security company earnings and venture capital investments, reveal that security spending has increased in the past couple of years. It also appears that this trend will continue for the next couple of years. Research from IDC, Gartner, Ernst & Young, Ponemon, Computerworld, CEB and others all have uptick indicators for 2014, both in terms of acquiring new technology and increasing the security staff. For example, the IDC Global Technology and Industry Research Organization IT Survey, 2014 found that 63% of organizations increased their cybersecurity spending by an average of 17%. In light of these facts, we have to wonder: is this just a spending bubble or a major structural shift?

The case can be made that historically, cybersecurity expenditures have been grossly underfunded. Why? Because our information systems seem perpetually vulnerable, as the recent Stagefright vulnerability exposing billions of Android phones clearly demonstrate. Also, cyber breaches are now regular occurrences that go unabated. Unfortunately, the most recent example is the massive OPM (U.S. Office of Personnel Management) breach, where an estimated 21.5 million personal records were compromised according to CNN (7/10/15). Every month, every week, every day, we hear about new vulnerabilities and major breaches that affect millions of people worldwide.

A structural shift in cybersecurity spending is not only warranted but required, and it must be sustained well into the foreseeable future

These cyber vulnerabilities and breaches clearly justify the increased spending on cybersecurity that we are seeing, be it for security technology, incident response forensics and services, or expert cybersecurity personnel. Given that the current and the future state of cybersecurity is one of constant vulnerability, we can easily make a case that a structural shift in cybersecurity spending is not only warranted but required, and it must be sustained well into the foreseeable future.

One reason to be concerned that this spending increase is just a bubble is the federal government’s response to the OPM cyber breach. The federal government ordered a 30 day Project Sprint to implement two-factor authentication for privilege accounts. There’s nothing wrong with declaring a sprint to get people’s attention; in fact, it produced very positive results. What is disconcerting, however, is that those controls should have already been in place; and even more to the point, cybersecurity is not a 30-day project but a continuous improvement initiative that requires constant attention as cybersecurity threats change. So, is this spending sprint a bubble or a structural shift for the federal government?

As all these cyber vulnerabilities and breaches indicate, the bottom line is that cybersecurity has been grossly underfunded in the past; we need a structural shift in funding—not sprints—to adequately address the problem now and well into the future.

In my next blog, I’ll be discussing the Internet of Things (IoT).