Many CIOs endanger their companies simply by not spending enough on security.
That may seem odd to posit, given that a recent Pricewaterhouse Coopers survey found that businesses now spend a higher percentage of their IT budgets on security than ever before. According to the survey, large organizations spend an average of 11 percent of their IT budgets on security while small businesses spend nearly 15 percent.
But if you consider the proportion of the overall IT budget that businesses allocate to security, you’ll find a red herring. That's because the purpose of spending money on IT security — aside from ticking regulatory compliance boxes — is to reduce the risk of a security breach to an acceptable level. The amount of spending required to achieve this is not connected to overall IT spending in any way.
How to assess risk
In the most basic terms, security risk is the product of the cost or financial impact of a security breach and the likelihood that a breach occurs. In other words, Risk = Cost x Likelihood.
It was using this equation that led Sony's senior vice president of information security, Jason Spaltro, to point out back in 2007 that "it’s a valid business decision to accept the risk" of a security breach, adding, "I will not invest $10 million to avoid a possible $1 million loss."
Sony may have made some spectacular miscalculations in terms of cost and likelihood, but Spaltro's economic argument for allocating resources to security is sound: There is no point in making any investment — in security or anything else — if the greatest possible return is less than the amount invested.
But let's get back to the initial idea that companies don’t spend enough on security. What the Sony security breach taught us is that most companies wildly underestimate the likelihood of a breach in their future.
Sony bases its estimates on events from the past; but in recent months, it's become evident that the security landscape has fundamentally changed.
In the past, most security breaches were carried out by criminal hackers with limited resources, motivated by financial gain. This meant that their targets would yield financially valuable spoils such as credit card details, and if a target's defenses were too troublesome to overcome, the hackers would simply move on to another promising target with less-effective defenses.
In the same way that if you’re chased by a bear, it's only necessary to run faster than your buddy, having reasonable security measures in place was enough for many companies to ensure that hackers would move on and attack someone else.
Hacks become government work
The Sony attack was likely carried out by foreign-government-sponsored hackers or perhaps even military personnel, according to James Lewis, a security expert at the Center for Strategic and International Studies in Washington, D.C.
These types of attackers are highly skilled and have enough resources to breach any security defense they want to. And because it seems that they are motivated beyond money—such as the desire to cause financial or reputation damage, for example—there is no strong incentive for them to move on to the next target unless the defenses they encounter are high.
"Criminals are opportunistic. They just want to make money. But government-sponsored hackers will just keep trying and won't give up,” Lewish says. “The Sony hackers were vindictive. This was not done for money—it was politically motivated, and there was no effort made to sell the data they stole."
If hackers can breach any company regardless of its current defenses and they’re interested in getting their hands on everything—not just data they can sell—then the likelihood of a breach has gone up.
But it gets worse. The Sony hack has also taught us that the potential cost of a breach has risen. That's because government-backed hackers aren't looking to steal structured data, such as credit card information or social security numbers. The cost of losing this type of information is well known, and averages $201 per compromised record, according to the Ponemon Institute's 2014 Cost of Data Breach study.
Since hackers may be motivated by scoring political points or causing a company embarrassment, these hackers look to steal and expose unstructured data, such as emails and other documents. Losing this type of data can lead to a drop businesses due to loss of reputation; senior executive resignations, as was the case in the Sony hack due to bad publicity; and legal headaches when confidential information is made public, such as pay differentials for male and female employees who do the same job.
"If you look at liability and the cost of lawsuits, this always turns out to be the most expensive part of a breach," Lewis says.
Because Risk = Cost x Likelihood, and since both the likelihood and cost terms have gone up, risk has increased on both fronts.
The purpose of investing in security measures is to manage security risk and ensure that it is reduced to an acceptable level. But what we've learned from the Sony hack is that the risk is actually higher than we previously believed. To reduce it to an acceptable level requires more investment in IT security.
"I think that most organizations should be spending more on security, but obviously the concern is that even if there is a 5 percent increase in the security budget, it doesn't mean it will be spent wisely," says Rick Holland, a security and risk management analyst at Forrester Research. "One of the biggest problems is chasing silver bullets—buying the soup du jour."
If government-sponsored hackers can break in to any company's IT infrastructure, then increasing spending on perimeter defenses may not be the right route. A more promising approach might be to invest in more effective intrusion detection systems to prevent hackers from exfiltrating data after they have broken in, according to Anton Chuvakin, research director at Gartner.
Wait ... there's good news
The good news is that there is new security technology on the horizon, and some of it looks like it will be a worthwhile investment. “Cutting-edge technologies show genuine promise and are already being used by enlightened companies," Chuvakin says. "Analytics may give a huge boost to defenders, as well as machine learning and threat intelligence. It's too early to say 'buy this and you'll win, but there is definitely light at the end of the tunnel."