By browsing this site, you are agreeing to our cookie policy. More Information

The Current Cyber Crisis and the IT Security Budget

Security | Mar 24, 2015

Barry Plaga, Interim CEO and CFO, Guidance Software
Last summer, J.P. Morgan Chase suffered a significant cyber breach of its corporate servers that affected approximately 76 million households. Very bad news and no longer an unprecedented event for a major financial institution. Then, two things happened the following fall that are very interesting when considered together:

  1. J.P. Morgan Chairman and CEO James Dimon told a panel discussion audience at the Institute of International Finance that his bank would double its cybersecurity spending over the following five years.
  2. PwC released its latest Global State of Information Security survey that noted that spending on information security fell four percent during a period in which cyber attacks against companies increased 48 percent.
The key takeaway? It takes a hack on our own organizations and a massive media storm to get us to sit up and open our wallets.

The Challenges are Clear

As someone who wears two hats at Guidance Software—interim CEO and CFO—I understand the concern with cost management in a challenging business climate. IT costs in general are often uncomfortably large, and they seem to go up at the whim of vendors and industry analysts to very little measurable return on investment.

But I have found myself wondering more than once in the past five years whether the last 20 years of curbing IT security spending has left us as executives—and our companies—exposed. The Target breach has cost the company $162 million so far. That’s higher than the 2014 average reported on in the latest Ponemon Institute report, which says breaches cost companies around $3.5 million, up 15 percent from the 2013 average.

As CFO, I know that we have to make smart spending choices to stay competitive—no question about it. But as CEO, I understand that the potential consequences of a data breach are dramatically higher than they were five years ago. The legal defense costs and potential awards of class-action lawsuits, the capital costs of remediation, potential regulatory fines, and the damage to corporate reputation add up in a way that should give every board of directors and C-suite dweller pause.

Smart Spending Means Adding a Line Item


Spending on information security should be one of the highest budget priorities on any executive’s list. But smart spending is key. As hacks like those in the past year have taught us, no matter how many bricks you add to your firewall, only one of us inside the firewall (the human perimeter) has to click on a phishing email link or leave a login and password sitting around and all of that perimeter security money was for nothing. Companies have to be watching their network endpoints (laptops, mail servers, point-of-sale devices) for strange activity – the behavior that is outside of normal for that endpoint—in order to see problems as they develop—and before the critical data leaves the premises.

In other words, if you’re not investing equally in endpoint security as on perimeter security, you’re not fully covered. Meet with your IT and information security teams. Ask them whether they can see when something unauthorized is happening in the locations where your sensitive data is stored. Then revisit the budget and add a line item for endpoint security. 
Load more comments
Thank you for the comment! Your comment must be approved first
comment-avatar

You May Also Like

Security

EnForce Risk Manager: Redefining Data Privacy & Co...

Have you ever asked yourself if your organization has control over its data?
Feb 4
Security

Finding those Easter Eggs?

We don't mean to egg you on... well, in fact, we do.
Nov 3