Cyber-security is a hot topic at every company this year and it needs to be a board level discussion – the risk associated with cyber attack and data breaches is now clear from all the headlines. FedEx and Maersk forecast $300M in losses based on the NotPetya attack. According to data from Juniper Research, the average cost of a data breach will exceed $150 million by 2020 — and by 2019, cyber-crime will cost businesses over $2 trillion — a four-fold increase from 2015. The risks are not just financial, they could completely paralyze your business, it takes most businesses about 197 days to detect a breach on their network. So it’s clearly a significant enough risk that it should be addressed at the board level.
But where do you start and what should be the focus? A recent Gartner report says detection and response plans should be the top security priority for organizations. Prevention is no longer the primary focus of a cyber-security program; it’s a matter of quickly detecting breaches and having a plan in place to respond and mitigate. “The shift to detection and response approaches spans people, process and technology elements and will drive a majority of security market growth over the next five years,” said Sid Deshpande, principal research analyst at Gartner.
Boards should expect a shift in the cyber-security spending recommendations from their CISO in the coming year beginning with human capital. Because prevention has been the focus in the past, people skilled in detection and response are scarce and their services are expensive. On the equipment/software side, the need for better detection and response has created new security product segments, such as deception, endpoint detection and response (EDR), software-defined segmentation, cloud access security brokers (CASBs), and user and entity behavior analytics (UEBA). These new segments are creating net new spending but are also reducing spending on existing segments such as data security, enterprise protection platform (EPP) network security and security information and event management (SIEM). According to data gathered from Gartner, organizations spend an average of 5.6% of the overall IT budget on IT security and risk management.
Not only is the focus of cyber-security shifting, but the analysis of a successful system is changing as well. CISOs are measuring their security strategy in terms of the business value associated with quick damage limitation, in addition to threat prevention and blocking. The goal is to get better visibility across their security infrastructure to make better decisions during security incidents. This visibility will enable them to have a more strategic and risk-based conversation with their executive team and their board of directors.
Expect to see these shifts in focus from prevention to detection and response when your review your company’s cyber-security strategy. And don’t be surprised if information security is a larger line item in your next budget review. Worldwide spending on information security is expected to reach $113 billion by 2020.