Throwing money at security threats may be good exercise, but it won't do much to deter data thieves, ransomware bandits, and other bad guys.
While enterprise security leaders usually do well at estimating threats and vulnerability, they often lack the ability to accurately assess business risk when making the case for sufficient security funding. “Cyber risk and its business impact is often put into technical language that the C-suite does not understand,” says John Gelinne, managing director, cyber and strategic risk, at business and advisory firm Deloitte. “As a result, translating threats and vulnerabilities into justifiable investments is often left to the tech team’s experience and judgment -- insights that often trail evolving cyber threats.”
A common way enterprises waste money on IT security is by configuring their security plans and budgets based on the latest cybersecurity trends and following what other organizations are doing. “Each organization's security needs will differ based on their line of business, culture, people, policies, and goals,” says Ahmad Zoua, director of network IT and infrastructure at Guidepost Solutions, a security, investigations, and compliance firm. “What could be an essential security measure to one organization may have little value to another.”
Poor planning and coordination can lead to needless duplication and redundancy. “In large organizations, we frequently see many products and platforms that have the same or similar capabilities,” says Doug Saylors, cybersecurity co-leader for technology research and advisory firm ISG. “This is typically the result of a lack of a cohesive cybersecurity strategy across IT functions and a disconnect with the business.”
Organizations often layer security products on top of each other year after year. “As security teams and leadership, such as CISOs, leave the organization, new team members and leaders bring in new security products,” says Charles Everette, director of cybersecurity advocacy for cybersecurity firm Deep Instinct. “As the security solutions pile up, there's a tremendous amount of wasted resources and capital as solutions -- basically shelfware -- don't perform as expected due to not being updated nor keeping up with newer and more sophisticated attacks.”