That’s kind of a loaded question, but still important.
After all, you are spending a bunch of money on it; how do you know if you are getting your money’s worth?
Or maybe you are not spending very much at all – in that case how do you know if you are adequately protecting your company?
Given those questions, Larry Ponemon, the researcher who performs research for almost anyone who pays him (but there is no evidence that his research is skewed because of that) and AttackIQ conducted a study. AttackIQ is a security tool vendor.
Larry’s study says that on average, enterprises spend around $18 milion on cybersecurity every year (what is included in that is, of course, somewhat variable) and more than half of them plan to increase that by as much as 14% next year.
53 percent of those responding said that they have no idea how well the tools are working in their corporate networks.
On average, these IT folks say that they have almost 50 cybersecurity tools installed. Larger companies run sometimes as many as a couple hundred. How could you know if the tools are working if you have that many?
A little over a third think they are getting “full value” from their investments.
Worse yet, over 60% said that they have actually experienced a tool that said that it blocked a security threat, when, in fact, it had not.
Almost 60% of the respondents said that lack of visibility was the reason there were still breaches, even though they have almost 50 tools installed.
40 percent think that their teams are effective at finding and plugging security holes. This means that almost two thirds do NOT think their teams are effective at their primary mission.
Almost two thirds said that their is no set schedule for penetration tests.
Click here to see the full report.
So what does all of this mean?
It likely means that buying more tools will not fix the problem.
It doesn’t mean that you should halt your security program either, however.
It does mean that you have to have a robust cybersecurity governance program. That should not come as much of a surprise. At some levels, cybersecurity is a hard problem. At other levels, it is very straight forward.
The basics need to be done – governance, planning, training, policies, backups, incident response, endpoint protection, encryption and so on.
What requires more analysis is some of the very expensive tools that some of the vendors are selling. Some of the tools cost tens of thousands of dollars – or more.
It is fair that companies need to assess the programs that they have in place. No different than any other program that a company runs.
The challenge is how do you measure whether the program is working or not? Is it working because you didn’t get hacked today? At some level, yes, but at other levels no. How do you measure success?
I don’t have all the answers. I wish I did. But every company needs to consider what they are doing. If you are just doing the basics then that analysis is pretty simple. But if you are looking, like enterprises are, at spending $18 million a year, then you need to figure out how to define success.
Most of our clients are not in the league of spending that kind of money on security, but security is a $125 billion a year business according to Gartner and growing. so for every company that is spending way less than that $18 million, there are some that are spending way more.
Cybersecurity is a big investment for every company. Make sure that you are spending that money wisely. Start with the basics. Do those basics right. Then look at the advanced things. Set up metrics. Brief management. Ask questions. It is, after all, something that could take down your company if you do not do it right.
Again, the Ponemon study is available here.