back to article Biz coughs up even less for security, despite mega breach losses

Information security budgets are falling despite a continuing rise in the number of attacks, according to a new report by management consultants PwC. Detected security incidents have increased 66 per cent year-over-year since 2009, reaching the equivalent of 117,339 attacks per day, according to PwC's "The Global State of …

  1. Peter 39

    won't happen

    Beancounters are beancounters. And security is a cost, with no upside.

    It is very, VERY hard for IT folks to put up reasonable numbers for risk, exposure and the like. Beancounters know about buildings and fire risks, and accidents and cost of insurance against that, but nothing at all about risk and exposure for information systems.

    In addition, much of the cost of breaches is NOT borne by the company. If your credentials were compromised at Target and your identity stolen - do you think they will compensate you for a couple of years of effort to straighten it out? No, they do a deal for "monitoring" at low cost to them, and this only alerts you after the fact that you have a problem. Nothing preventative at all.

    So, try as they might, IT managers have little success in showing Boards the real cost of a breach (except in banks, I guess). And until that changes, Boards will spend less and less on security.

    1. Tom 35

      Re: won't happen

      And you can add backup to the cost center too.

    2. Anonymous Coward
      Anonymous Coward

      Re: won't happen

      It's exactly the kind of product that's only sold to the board once the horse has bolted.

      They'll only realise how important it was when their company is hopelessly compromised, all their secure information is in the public domain and they are franticly trying to keep the entire organisation afloat.

  2. Chris Miller

    Estimating security breach losses

    I entirely agree that it's "a hopelessly inexact science". But if a consistent methodology is used, at least the trend ought to be telling us something.

  3. Destroy All Monsters Silver badge
    Windows

    Yes

    We just had a Battery Stable Horse Bolt event, so interest in security was suddenly rekindled.

    Which is nice, I suppose.

    1. Elmer Phud

      Re: Yes

      and the longer they talk, the further away the incident was and the available money grows smaller.

  4. DNTP

    Presentation to the Board- IT Security Trends and Costs.ppt

    - If MORE incidents are being detected and reported, that is a real improvement over security in the past, where breaches were not detected and not reported.

    - Security assets and software have been improving WITHOUT an increase in spending!

    - We can cut the security budget so we can have the SAME level of security that the company had in the past, but for a LOWER cost!

    1. ecofeco Silver badge

      Right?

      I've seen this VERY presentation. Been on the pointy end of it, too.

    2. FlatEarther

      Doing the same costs less.

      While it's somewhat surprising to see budgets fall overall, the cost of IT Security has fallen dramatically in recent times. Just look at the SIEM market. There's many new players offering cheaper to buy and operate solutions, forcing the incumbents to lower prices. True for most security technology.

      I also suspect the some amounts that used to be in the security bucket are now in the general IT/application bucket.

  5. ecofeco Silver badge

    Why would they do this?

    'Cause fuck you with my golden parachute, that's why.

  6. Anonymous Coward
    Childcatcher

    File this story under "This will end in tears"

    To set context, I haven't been in a role where I was mostly involved in IT security marketing for several years now.

    Second, I've read the comments above.

    I agree that security is hard to monetize, and that if there is a breach most corporations will just offer affected customers a year or two of credit monitoring. However, the brand damage of a security leak is pretty severe if you are talking about various retail operations. Customers are not very understanding when they do what you ask (give you their credit card/shipping/email/some personal info and buy stuff from you) and then you don't protect that data. If you leak their data, they do start looking for other retail options, and it does change their spending behavior with you.

    Some of these other recent breaches, like healthcare records, I can't say. Here there are complex relationships and lock-ins around insurance networks and doctors. However, leaking personal healthcare information (PHI) in the U.S. is an expensive matter if you get taken to court in a class action.

    Given these huge breaches we have been seeing lately, reducing IT security spend seems like a dangerous bet. However, if these boards of directors weigh the options and decide that reduced spend is in the best interests of the company, then hopefully they will take some ownership if something bad does happen. My concern is that they are not looking at IT security spending, and just at the IT budget in general and saying "Yep, that budget only grows the 3% we asked you to meet for the coming year. So we approve". Then the board gets ambushed because IT security spending got pushed to the side so that some other more easily monetized IT spend could get prioritized.

    1. Mark 85

      Re: File this story under "This will end in tears"

      You were doing great until the last paragraph and the Board taking ownership. If the heat gets too bad they will grab their golden parachutes and bail. Or, someone will be fed to the wolves and parachutes will not be deployed, but a large bonus will be given for "finding the problem".

      1. Anonymous Coward
        Anonymous Coward

        Re: File this story under "This will end in tears"

        Yes, I am afraid that most boards don't drill down to the IT security level when they are looking at spending initiatives, just like they don't really look at datacenter spend, or remote connectivity spend, or spending at most any other level/component of IT.

        However, I can dream.

  7. Cipher

    They don't seem to understand that you pay now or you pay later, but pay you will...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like