The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year and that figure is nearly double the $2.2 million spent in 2010 all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.
The question is, why? Why are security budgets rising but enterprises still are not getting the results hoped? "Many organizations are infatuated with buying the latest trendy thing, whether or not it makes the most sense for their specific security posture," says Jay Leek, chief information security officer at The Blackstone Group.
The 11th annual Global Information Security Survey of 9,600 executives also found that the number of organizations reporting losses of greater than $10 million per incident is up 75 percent from just two years ago. The costs of these breaches also are rising, with data breaches up 9 percent in 2013 from 2012.
One thing is certain the organizations are not spending on the technologies and capabilities best suited to help spot advanced attackers, such as malware analysis with only 51% doing so, inspection of traffic leaving the network (41%), rogue device scaling (34%), deep packet inspection (27%), or threat modeling (21%).
With all of this in mind, how do you tell if that increase in budget you received is being spent in the right areas?
The right staff
First up: make sure your team is well positioned when it comes to security staff.
"Figuring out if you are you understaffed or overstaffed can be tricky," says John Pescatore, director, emerging security trends, at SANS Institute. "If you have 10 firewalls, how many full-time equivalents does it take to manage them? If you have three people taking care of 10 firewalls, you either have really bad firewall managers or you should invest in a tool so that one person can manage those 10 firewalls," he says.
One way to evaluate staffing is to look at how many full-time equivalents are in the security program as a percentage of total IT positions. Another is to compare your security/general IT staff ratio with that ratio within your industry, and see how your security staffing stands in contrast to your peers, says Pescatore. "That's a good indication. Be sure to take into account how many full time equivalents may be in place through outsourcing arrangements, such as firewall management and monitoring," he explains.
Understaffing of security professionals is likely to create a situation where the organization will end up pushing unsecured projects into production, unable to properly respond to incidents, or properly maintain a healthy security program. This means that those who are there will be constantly jumping from one emergency to the next.
Sign up for CIO Asia eNewsletters.