Despite organisations increasing their security budgets and investing significantly in the latest cybersecurity tools, enterprises are still facing risks of more data breaches than ever before. Security correspondent Daniel Bardsley speaks to industry experts to discuss how IT and business leaders can use their resources more wisely.
Spending on cybersecurity is increasing dramatically, with budgets growing much faster than those of the IT sector as a whole.
According to figures from Gartner reported by Cybersecurity Ventures, the annual global spend on cybersecurity this year is likely to be $124 billion.
Seen in isolation, this figure appears large enough. But when it is considered that is 35 times the size of the yearly spend from 13 years ago, it appears truly vast.
Statistics from RSA Conference, the annual cybersecurity event in San Francisco, indicate that global cybersecurity budgets rose by 141 percent between 2010 and 2018, with spending on cloud security alone having increased almost 1.5 times since 2017.
And this is at a time when IT as a whole is not benefiting from the same level of growth in spending. In July, Gartner forecast that worldwide IT spending in 2019 would reach $3.74 billion, up just 0.6 percent on last year’s figure.
There is no sign that the stratospheric growth in cybersecurity investments is going to tail off, even if IT budgets as a whole remain under pressure. Far from it, in fact – last year’s total cybersecurity spend was 12.4 percent up on that of 2017, according to Gartner, and by 2022 global cybersecurity investments are forecast to reach $170.4 billion.
The amounts being spent by some individual organisations on cybersecurity are eye watering. Microsoft’s cybersecurity budget exceeds $1 billion a year, Cybersecurity Ventures reports, while the financial organisation JP Morgan Chase spends around $600 million each year to protect its assets. And that’s even before the cybersecurity budgets of government departments are considered – in the United States, these can reach many, many billions.
Yet, amid all of this rapid growth in cybersecurity spending, the number of breaches that organisations are facing is increasing too.
The cost of a data breach study by the Ponemon Institute, carried out on behalf of IBM, found that the time to identify and contain a data breach is now 279 days, which is up nearly five percent on 2018, when the average time was about 266 days.
Similarly, the cost of a data breach is growing, with the same study finding that the average penalty was $3.92 million this year, up from $3.86 million last year.
While in other sectors of IT, as experts have noted, the pressure is on to reduce inefficiencies and to increase productivity, in cybersecurity such improvements in performance are harder to identify.
So why, given the increased spending, is the cybersecurity sector failing to generate better outcomes?
“As cybersecurity is changing all the time, the attackers are usually one step ahead of companies,” says Dimitris Raekos, general manager, ESET Middle East.
“There is currently a lack of genuine cybersecurity awareness within organisations and a tendency for IT managers to be ‘misled’ when they are selecting cybersecurity products and solutions,” he adds.
They can be impressed by buzzwords or phrases, notably artificial intelligence, but the reality of the solutions they purchase may not live up to the hype.
“They spend on products that are more marketing than solutions. In cybersecurity there are no silver bullets. It doesn’t [follow] if they spend more, you will have more security. Companies need to find products for their needs,” he explains.
This issue – of companies buying products or solutions that turn out not to offer significant benefits – is also identified by Jeff Ogden, general manager – Middle East and India for the email security company Mimecast.
He recalls a recent forum attended by numerous chief information officers (CIOs) and chief information security officers (CISOs) at which they were asked how many technologies that they had purchased over the past three years had they switched off.
This straw poll found that buying technologies, only to find that they were not solving problems, was the norm. Often, says Ogden, new products end up “making complex environments more complex”.
“Why are they continuing to invest [greater amounts on cybersecurity]? We have a big focus in this region around technology. People have been budgeting for these particular technologies. That’s why the budgets are continuing to grow,” he says.
“The mistake a lot of people make is to go and buy features. They buy such nice technology. It does a very good job in the niche, but when you have a complex problem you need a holistic solution.”
He says that organisations are starting to realise this and are working towards getting more joined up solutions in place.
Any discussion that highlights the growth in the number of breaches despite increases in cybersecurity spending should, of course, not ignore the primary factor – the threat landscape is increasing daily.
As Cybersecurity Ventures notes, there has been a “dramatic rise” in cybercrime, ransomware attacks have reached “epidemic” levels, and billions of poorly protected Internet of Things (IoT) devices have been deployed.
“The threat is growing. The industry targeting organisations is growing. The accessibility of this technology to attack an organisation is also growing,” said Ogden.
“This region is heavily targeted. Saudi Arabia is second globally in the number of targeted attacks.”
So, in the current climate of bigger budgets, bigger threats and more breaches, what are the solutions?
Ogden says that one conclusion of the gathering of CIOs and CISOs that he took part in recently was that simplification was “the number one priority”.
“Every one of them said, ‘We’ve got to make things simpler,’” he said.
Ogden says the products that Mimecast offers can offer 10 security products in a single console, something that can counter the problem of non-integration of security products, which complicates detecting and dealing with threats. He says other companies are consolidating products too.
“If you look at Microsoft, they’re doing a great job of consolidating to a single platform – Azure,” he said, referring to the tech giant’s cloud computing platform.
Indeed, Ogden says that the ongoing migration to the cloud “absolutely” could be part of the solution to the problem of companies spending more on cybersecurity only to end up with too many products, high bills and security gaps.