How to Escape the Security Arms Race and Thrive

Chris Braden
As more applications move to the cloud, and as more information is digitized and other technology strategies (BYOD, IoT) are employed, today’s corporations have increasingly become unwitting participants in a security arms race, one for which they’re poorly equipped to participate.
Most every company has to follow this path of digitization to evolve and to stay competitive. However, this transformation of the IT landscape also opens up more and newer cyberattack vectors and creates new and greater vulnerabilities.
Corporations know they need security solutions to keep up with the increasing complexity and sophistication of this digitized IT landscape. However, they also need more answers. The truth is that many companies don’t always know how to effectively assess security technologies as they build their security strategy. This can lead to buying technology they can’t fully implement or utilize, adding complexity and frustration to an already difficult situation. Fortunately, there are options – and your company doesn’t have to go it alone.
The Rise of the Arms Race
It isn’t just the cost of software that has led to this arms race, though that certainly is a significant part of it.
There’s a lack of transparency in the industry — and a lack of understanding about how many people, assets and resources a company really needs to realize a return-on-investment from many of today’s security technologies. Under-staffed IT and security teams create more security risk than most companies realize.
That’s due to several factors. First, many security solutions require more dedicated personnel with security skills than they advertise. Companies purchase security technology and often fail to understand what it truly takes to effectively implement and operate said technology to mitigate risk. In classic business parlance, this is the total cost of ownership (TCO), and for many security technologies, the TCO is higher than customers often realize.
Second, companies often face challenges with deciding between focusing on security or on compliance. While the two should, in theory, be harmonious and aligned, the reality is they often are not when companies lack enough budget to accomplish both objectives.
Third, the evolution of the global cybercrime economy is very real. Simply put, cybercrime is big business. Hackers are increasingly well-funded, well-educated and know all too well how to buy and sell the spoils of cybercrime on the black market. This leads to increasingly sophisticated threats from increasingly sophisticated threat actors.
As Gartner points out, IT spending statistics alone don’t measure IT effectiveness and aren’t a gauge of successful IT organizations. A company may be spending the same amount as its peer group but may have different goals (e.g., regulatory compliance versus increased security) or have a different risk profile or risk tolerance. Gartner has found that security spending typically ranges from 1 to 13% percent of an organization’s total IT budget, yet many organizations don’t have a discrete breakdown in their budget between IT and security.
Adding to all of this is that there’s an abundance of software and solutions to choose from, which can make it difficult to …