Spend! Spend! Spend! In the last three years spending on IT security has risen significantly. In a world where almost every month there is a data breach of large companies, the reaction has been to spend more money of IT security. However, as the old adage goes, throwing money at a problem does not fix it. Spending on IT security needs to be well thought out, and security needs to be understood as an ongoing effort, not a series of one time purchases. Only 22% of businesses measure the effectiveness of their security spending. Of the 22% who do, only 64% feel they are spending effectively.

There are motivations and drivers to IT spending besides the latest outbreak of ransomware. The big two seem to be protection of sensitive data and regulatory compliance, as survey results indicated from the SANS Institute. Coming in third was the need to reduce insider threat, with only 25% of respondents citing that as their reason. The drivers of IT spending reflect how and why money is allocated for IT security. While security experts have been warning businesses about insider threat for years now, it still is not the highest priority. Understanding the drivers of spending can provide insight into the logic of their spending as well.

The size of a business seems to be a critical factor in their spending ability too. If one looked only at percentages, business are committing about four to six percent of their total budget to security. However there is a lot of nuance ignored when only examining percentages. Over the last three years Large businesses have expanded their security budgets from one million to ten million, with the most conservative estimates. Medium businesses have also increased their security budgets by double over the last three years, from half a million to nearly one million a year. The businesses being left behind, small business. Their annual budgets have remained hovering around one hundred thousand a year. For small business there are serious financial constraints to keep up with the latest security solutions.

Trending in Spending

Operational spending has been concentrated in protection and prevention for the most part, with detection and response coming in second. Surprisingly, third was spending merely to meet compliance. These two areas of spending reflect the motivators above for spending which were protection of sensitive data and regulatory compliance. Staffing for these areas is mainly with in-house staff, while nearly 20% of all organizations have stated they refuse to hire consultants for what they believe could be handled in house.

Digging deeper into the nuance of spending is the technology that firms are spending money on. The top three technologies are access/authentication, advanced malware protection, and endpoint security. As expected business leaders and owners feel their spending in these specific technologies has been effective. While application security and security intelligence programs tended to not be invested in as much and were on the lower end of spending.

So with all the spending increases and confidence measures there has to be some way to calculate ROI in security right? Return on investment (ROI) is the go to measure of effectiveness in business, however in the case of security the traditional ROI calculations do not work and you will need to apply some creativity to figure out what is ROI for you. It is important to look at investment as protecting data at risk, where continuous saving will be realized year over year by investing in security. The other option is not to invest and potentially fall victim to the ransomware that has wreaked havoc across the world.

Spending for Effectiveness

Security spending should not only be focused on meeting today’s compliance requirements or else it is going to be ineffective. Compliance and regulatory requirements are delayed reactions to events that have happened already. As a business it always pays (or saves) to act preemptively to decrease risk. Below are some ways to understanding how to spend your budget effectively.

Strategic Integration

Just as the rest of your business has very forward looking plans and is oriented towards the long-term, so too must your security be planned for the long term. This will ensure whatever security decisions you make now are made for all a variety of anticipated scenarios. This is counter to the current modes of spending which are in reaction to current events and as a result come too late. Security needs to be aligned and integrated with business objectives. From this perspective security acts as an enabler to helping the business achieve its priorities, thus is worth an operational investment.

Do Not Spend Blindly!

Hard to believe but most business admit to spending on security blindly. Even some IT directors have admitted that they feel compelled to spend the whole budget because they fear next year they will not receive as much. Not tracking security spending and the ROI of security solutions is a sign that security is not being managed as effectively as it could. Security budgets need to be tracked in order to provide visibility into what is working improve compliance, reduce attack surface area, reduce the number of breaches per year, response time, and strategic alignment. Benchmarking your spending against these measures can shift the perspective of security from one of reaction to one of enablement.

Cost / Benefit Analysis

The final suggestion is to always do a cost benefit analysis of the technology or program you feel you want to implement. The cost benefit does more than provide justification for the purchase but the process allows for critical examination of several elements of the business and its needs. Purchases based on the great sounding features is not a sustainable security solution in the long run.

Security spending and budgeting is still working itself out. Spending trends in security reflect the general pattern of business of reacting to a risk with the minimum to stay protected. However it is possible to be stay ahead and make sure security is just right for you and your needs. Do spend on security just make sure you’re spending in a manner that you can measure against strategic goals and benchmarks.