Security Spending: Part I, the Bottomless Pit

Today, we are honoured with the first of two guest posts in a series by Ted Lloyd, editor of OnlineCISO.

Cybercrime has emerged as a multi-billion dollar business and spawned another mufti-billion dollar business to combat it. As 2014 closed, Gartner estimates that global spending on information security will top $71 billion representing a nearly 8% increase in spending over 2013. The trend and trajectory are expected to remain steady for 2015 as well.

What business can afford these annual spending hikes? Rather, what business can afford not to keep spending, particularly when some experts in the industry are advising that businesses are not spending enough on cyber security? Failure to spend on information security might mean that a business could find itself out of business if attacked by cyber criminals, right?

Not exactly.

To be frank, any business needs to take cyber security seriously or potentially be out of business, although I do not sign on to the mantra that we must continually increase spending. Spending needs to be relative to the risks and needs to be continually evaluated for effectiveness. Technology is changing at such a rapid pace, that investments made last year may not be worthwhile investments this year; we may need to look at more effective investments in cyber defenses.

We live in a world dominated by technology, which makes it easy to be distracted into thinking that security is all about technology; it is not. Security is a business function and while many of the tools, as well as the assets we are trying to protect, involve technology, the decisions remain business decisions.

Insurance is a great example to consider. Insurance is a method of risk management, specifically one which transfers the risk. While not making the risk go away, we can make investments based on probabilities where the insurance company will agree to charge us a premium and pay any losses which occur as a result of the covered risk. The premium we pay limits our risk to just the premiums (and possibly a deductible), while the insurance company assumes the residual risk of loss.

For example, when we purchase a new fleet of vehicles, it makes sense to purchase collision insurance which pays to repair or replace those vehicles if they are involved in an accident. We pay the premiums, and that is the extent of our loss. However, as years go by, the once new and shiny fleet depreciates in value and reaches a point where the amount of money we are spending on the insurance premiums becomes more than we will recover in loss payments from the insurance company in the event of an accident. The investment no longer makes business sense, so we drop the collision coverage and accept the residual risk of loss.

Antivirus software is the cyber equivalent of automotive collision insurance. Once touted as the final line of defense – experts still recommend antivirus software on all end points – the investment in purchasing such software is very similar to continuing to carry collision insurance on a depreciated vehicle. It simply no longer makes business sense.

This last year, a senior VP at Symantec, a global security company and seller of the Norton antivirus software came out and said that antivirus was effectively dead, and no longer a serious profit center for the company. Worse, what has in the past been touted as a last line of defense, was disclosed by the same executive to only catch 45% of malware attacks.

The problem with antivirus software is that the technology has fallen far behind the capability of attackers and criminals. At best, antivirus software can identify known threats and exploits, but more often than not, and based upon the statistic above from Symantec, has very little chance of accurately detecting unknown attacks and exploits. There are millions of new malware, including the various permutations appearing each year. The reactive technology of antivirus simply cannot keep up with this pace.

Does that mean we should all stop using antivirus software? No, it does not. Antivirus software still affords some degree of protection even though it is not optimally effective. What this does mean, is that businesses should seriously consider not paying for their antivirus software in much the same way as they would consider dropping auto collision insurance.

Microsoft, for example, offers security essentials for free. There are other vendors such as AVG Free and Clam antivirus who also offer their software for free. Rather than continuing to pay for antivirus software, businesses should consider using a free solution and investing those dollars elsewhere for better returns.

After having understood that antivirus is not the end-all-and-be-all of information security spending, and need not be the bottomless pit, in part 2 we will explore where we should invest our security budgets.

Ted Lloyd, CISM

This entry was posted in business, policy, security, technology and tagged , , , . Bookmark the permalink.