One of the things that I love about working at SecureState is the diversity of activities going on here at any given time. An excellent example of this is the recent “Security Spending” whitepaper written by Adam Stewart. Adam is a student from Northwestern who spent the summer interning with us. However, he isn’t majoring in Information Security . . . but rather Economics.
Having Adam for the summer allowed us to dig for better data on exactly how our clients are spending their limited security dollars. Our field is filled with folklore and “best practices.” Hard data to support these practices is rare.
One trend that I’ve noticed working with different clients is that many push to acquire products to address virtually every security problem that they have. There can be many reasons for this: perhaps it’s easier to get budgetary approval for products than it is employees. Maybe the security group is led by engineers who favor tools over process. Or perhaps there just isn’t anyone asking the right questions: what will we do with this tool once it’s purchased, and do we have the staff to do that? Whatever the reason, Adam’s paper highlights two fascinating datapoints:
- Companies in our sample spent 58% of their security budget on tools
- For companies with over $150,000,000 in revenue, this jumped to 71%!
This means only 29% of the budget is being spent on headcount or outside consultants. I’ve seldom visited a client that wouldn’t benefit from increased manpower. If you have a tool sitting unused and in its box, you have to ask yourself if that budget could have benefitted your company more if it were spent on an extra set of hands to actually execute on some security tasks.
Another fascinating trend identified in this whitepaper was that as companies grow, the overall percentage of revenue spent on information security tapers off dramatically:
Most would agree that larger companies make bigger targets for attackers, and they typically have much larger burdens when it comes to regulatory requirements like PCI, HIPAA, or Privacy. Despite this, these companies are spending smaller and smaller percentages on security as they grow. In that context, big breaches such as that at Sony seem much less surprising than they were at first blush. Based on the data we gathered, it’s likely that these large corporations are significantly underspending on security, despite what may seem like massive budgets.
For those CISO’s and CIO’s out there reading this, I’d like to close this blog out with a suggested exercise: approach your purchasing departments and ask them for the annual budget for toilet paper or coffee. See how that compares to your current spend to protect your company’s information assets.
If you have a company with 100,000 employees, and you spend $.60 for a roll of toilet paper per person per month, then your company is spending $60,000 a month. That adds up to $720,000 per year, with zero return on investment!