Eight Ways to Improve Your Cyber-Security Spending

By Karen A. Frenkel  |  Posted 07-20-2014 Email Print this article Print

Organizations are concerned about cyber-threats, but many of them have neither invested strategically in security nor aligned that spending with their business strategies, according to a new report. One result is a major gap in security spending between industries. For instance, banking and finance spending heavily ($2,500 median per employee) while others, like retail and consumer products businesses ($400) and education ($200), spend much less. The report, "2014 U.S. State of Cybercrime Survey," was conducted by CSO magazine, PriceWaterhouseCoopers LLP, the U. S. Secret Service, and Carnegie Mellon University. The more companies spend, the more incidents they detect, according to the report. Likewise, victims of cybercrime are more cautious and benefit more from mature security practices than their peers. "We found that 37 percent of respondents who had not suffered a security incident did not know what groups pose the greatest threat, compared with 18 percent who had experienced an incident," notes the report. Five hundred U.S. executives and security experts from private and public companies participated in the study, which identified effective cyber-security practices and compared them to practices and technologies that the U.S. National Institute of Standards and Technology prescribes in its cyber-security framework. To read the report, click here.

  • When Is Cyber-Security Spending Most Productive?

    Dollars spent on cyber-security are most productive when allocation is based on specific business risks. However, only 38% of respondents say they have a method for prioritizing security investments based on the greatest risk and impact on the organization's business strategy.
    When Is Cyber-Security Spending Most Productive?
  • Forget One-Size-Fits-All

    No single methodology for strategic spending works for everyone, but enterprises should allocate resources based on risk, regardless of industry and location.
    Forget One-Size-Fits-All
  • Flexible and Agile Cyber-Security Helps

    The scope and duration of cyber-security initiatives should be less than the typical three- to five-year business plans. That way, organizations can quickly address threats as they increase and evolve.
    Flexible and Agile Cyber-Security Helps
  • Shift From Prevention to Incident Response

    Rather than emphasizing prevention, organizations should fund processes that integrate predictive, preventive, detective and incident-response capabilities to minimize impact.
    Shift From Prevention to Incident Response
  • Invest in People and Processes

    Organizations should spend their money on people and process capabilities that enable them to respond quickly and mitigate incidents.
    Invest in People and Processes
  • Identify the Crown Jewels

    It is critical to invest in resources that identify and classify the most viable information assets, and to determine where they are and who has access to them.
    Identify the Crown Jewels
  • Estimate Cyber-Security Investments

    Identify and classify assets to help IT and business executives determine how much to invest in cyber-security. Organizations should also consider the quality and end-to-end strategy of their investments.
    Estimate Cyber-Security Investments
  • Invest in Analytics

    Don't just deploy network-monitoring technologies, for example. Ensure adequate funding for data analytics that enable cyber-security personnel to discover patterns in anomalous network behavior and to act on these insights.
    Invest in Analytics
Karen A. Frenkel writes about technology and innovation and lives in New York City.


Submit a Comment

Loading Comments...
Thanks for your registration, follow us on our social networks to keep up-to-date