Home » Business Advice » How much should I be spending on IT Security?

How much should I be spending on IT Security?

With the number of reported successful cyber attacks on big name establishments on the rise, it seems no one is immune. And the consequences of such an attack can be enormous, potentially threatening the long-term viability of the enterprise, writes Sascha Jäger, Fujitsu.

We’ve probably all looked at some of the recent high-profile attacks and felt that the targeted organisation hasn’t got the basics right. Equally, some of the more complex attacks appear almost impossible to completely mitigate. The reality is that many of the new options for mitigating security risk are becoming increasingly expensive and complex.

In the current climate, we could easily spend all our budget ensuring that we have the most advanced processes, people and technology to secure our estates. But this drastic approach would leave nothing available for delivering new applications or services that keep the enterprise viable.

It used to be that implementing a DMZ, a few firewalls, a level of anti-virus and a patching regime was adequate for nearly all organisations. But the plethora of modern countermeasures is complex. And it is no longer clear which are the basics and which are enhanced capabilities only appropriate for organisations facing advanced threats.

When this is combined with the reality that our enterprise data is no longer in one place behind the castle walls, but instead it’s spread across multiple cloud, SAAS and on-premise platforms, the potential for security costs to increase exponentially starts to become a reality.

So how do you decide which threats to invest in mitigating?

In reality, we are all constrained by budget and resource. The need to innovate to provide new and improved digital services to employees, partners and customers is a fundamental need of all enterprises today. But this has to be balanced with the investment required to mitigate the ever-advancing security threat.

Hindsight and agility are critical

We need to maximise rapid learning from the threat, attempts and successful breaches, both internally and across peer organisations. Adopting an agile response to the combination of incidents and emerging threats therefore becomes essential.

If security always trumps other priorities the organisation will fail through lack of investment in the digital services it needs to be competitive. Yet if security is always second fiddle then the enterprise will fail through the direct and indirect impact of repeated breaches. In business this can be financial and reputational impact. In the public sector, defence and critical national infrastructure the potential impacts are even more concerning.

This further compounded by the delineation between the ‘Security Team’ and the rest of the IT function. Good security management involves all development and support teams fully understanding both their security risk profile and proactively managing their security posture. That is what we should naturally be doing as IT professionals. The security team is then focussed on finding exceptions to good practice, and advising and skilling the teams to improve.

So why is the Security Team so separate?

As part of agile planning we need to include security-based user stories as well as the user functionality-based ones. This puts developers and other IT professionals in the security decision process as well as inserting security in the middle of the functionality debate. It should result in a more dynamic balance between the needs of both teams.

Whilst an urgent functional requirement may need immediate action, equally a new vulnerability or attack vector may need swift measures. To enable this, developers and operations staff need to improve their security knowledge and capability. But also the Security Teams need to step-up and engage proactively and collaboratively in both application and solution design and development. Increasingly, there is a natural crossover between these functions.

By working collaboratively, we can achieve a dynamic and coherent portfolio that balances the need to invest in security with the other capabilities that drive the enterprise forward and effectively manage enterprise risk.

Visit the Fujitsu blog for more insight about the digital workplace and cloud computing.

Follow Fujitsu Northern Ireland on Twitter, LinkedIn and Instagram pages, using the social handle @Fujitsu_NI.