Last week, I had a great opportunity to explore the APAC cybersecurity market and meet many brilliant people during Black Hat Asia 2016. Singapore's economic miraclemade its cybersecurity market as attractive as the North American one, attracting the largest security vendors to the region.
Advanced Persistent Threat (APT) protection, Threat Intelligence, Enterprise Immune Systems, Cloud Access Security Brokers (CASB), User and Entity Behavior Analytics (UEBA) - these are just a few of the offerings currently available on the cybersecurity market. I bet that many security industry professionals (including myself) hardly understand the real meaning of some of these terms, or to be more precise - the real difference between them and the generic terms existing for years. But this is a topic for a dedicated article, and in this piece we would rather concentrate on cybersecurity budgets and related challenges.
Cybersecurity budgeting should start with a holistic and comprehensive risk assessment. Once all threats and vulnerabilities are listed and prioritized, companies can proceed to properly managed RFP to select right security controls. A security control shall assure appropriate, efficient and continuous risk mitigation in accordance to corporate risk strategy and risk appetite. However, in reality things happen in much different and less effective way.
This year, Obama asked for a $19 billion cybersecurity budget across the US government (an increase of $5 billion), as computer attacks were among the most imminent security challenges facing the United States. The UK government will alsodouble cybersecurity funding to fend off ISIS cyber-attacks. Meanwhile, Gartner predicts cybersecurity spending to hit $170 billion by 2020. This sounds very promising for the cybersecurity industry, however we need more facts to understand the real state of affairs.
An alarming signal comes from PwC's State of Cybercrime Survey: almost half (47%) of respondents said that adding new technologies is their main spending priority, higher than all other initiatives. Only 24% said that cybersecurity strategy redesign is a priority, and as low as 15% see priority in cybersecurity knowledge sharing. This means that companies spend their budgets on new technologies, before conducting proper risk (re)assessment and quite often omit cybersecurity RFPs best practices. This explains why, regardless of all the above-mentioned budget increases, the average cost of cybercrime rose again in 2015 to $7.7 million, while overall cybercrime costs are projected to reach $2 trillion by 2019.
According to EY's Global Information Security Survey 2015, 69% of respondents say their information security budget needs to rise by up to 50% to protect the company in line with management's risk tolerance. At the same time, only 40% of the respondents hold an accurate inventory of their ecosystem (data, network connections, third-party providers), and as few as 34% would rate their security monitoring as mature or very mature. When even the basic cybersecurity requirements are not met, we cannot spend on new technologies - it's like treating a cold, yet ignoring a cancer.
Sign up for CIO Asia eNewsletters.