While interviewing 25 IT executives in the security space, the topic of budget allocation was raised several times.
While some executives believe you still need to be protecting the infrastructure, which is where 90% of the security budget is typically invested, others believe there needs to be more spent protecting the cloud, mobile, IoT, apps, and data in transit. While the different points of view may be based on the business model of the company for whom the executive works, ultimately we should take an objective look at what's in the best interest of the business.
While there are gaping holes around the cloud and the APIs accessing the cloud, email is the number one attack vector and both are poorly audited and cannot be controlled beyond the network.
Today, web and mobile applications are the main business driver for many, if not most, large organizations around the world. These applications allow users to interact with the organization's backend servers and data. Companies must ensure these applications are developed without exposing vulnerabilities that can expose users' data. Application security is based on the idea of reducing the risk of a breach before the application goes to market.
Hackers no longer need to struggle with firewalls and IPS systems since they have access to applications that provide a direct communication channel to enterprise data.
Companies need to pursue a risk management and mitigation strategy identifying their most important data and thinking about the impact of that data being compromised. There are so many different issues, threats, and security choices (> 1,500), companies must prioritize what's most important to secure based on the company and the industry - especially when regulated. Once a company has decided on the most important data to protect, they are in a much better position to identify the solutions that will help them achieve their objective.
Most large companies have at least a dozen security solutions on board layering security of the network, intrusion detection, security event management, antivirus, more holistic security tools, as well as end point detection. Unfortunately, few, if any, of these solutions are integrated, making the CISO team's job that much more difficult.
A consistent theme was the need to have visibility throughout the network, and devices and to automate incident detection and response in order to minimize the potential damage and loss when your network is hacked.
Speed was also a theme. While IT leaders are attempting to accelerate the rate at which they are able to develop and deploy code, security professionals need to prevent hackers from gaining control of systems. However, they are hampered by poor visibility, shadow IT, and the reputation as a blocker to innovation.
IT and security teams need to partner to develop security and agility together; however, their goals may not align. This is where it's important for C-level executives to understand the impact of data security on their business, and brand, identifying and implementing a well-informed risk management policy that can help align IT and security.
Perhaps as more C-level executives understand the importance of security and it becomes a primary concern, it will receive the same scrutiny and evaluation as finance, production, and marketing. Afterall, the security of your brand will affect the perception of your brand when you are hacked and lose personally identifiable information.
How do you think your security budget should be allocated?
Following are the executives that shared their perspectives on this question:
- Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
- Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
- Amit Ashbel, Director of Product Marketing and Cybersecurity Evangelist, Checkmarx
- Ash Wilson, Strategic Engineering Specialist, CloudPassage
- Paul Kraus, CEO, Eastwind Networks
- Anders Wallgren, CTO, Electric Cloud
- Alexander Polyakov, CTO, ERPScan
- Patrick Dennis, President and CEO, Guidance Software, Inc.
- Craig Lurey, CTO, Keeper Security
- Boaz Shunami, CEO, Komodo Consulting
- Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
- David Waugh, V.P. Sales, ManagedMethods
- Mat Keep, Director of Product Marketing and Analysis, MongoDB
- Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
- Fred Wilmot, CEO, PacketSled
- Gary Millefsky, CEO, Snoopwall
- Wei Lien Dang, V.P. of Product, StackRox
- Cody Cornell, Co-founder and CEO, Swimlane
- Terry Dunlap, Founder and CEO, Tactical Network Solutions
- Chris Wysopal, Co-Founder and CTO, Veracode
- Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
- Prabath Siriwardena, Director of Security Architecture, WSO2