Important Considerations for the IT Security Budget

Many businesses spend 80% of their security budget on security controls that provide defences to protect the business from threats. The remaining 20% is spent on intrusion detection and mitigation strategies.

This sounds logical to most until you consider what many security specialists know deep down but are afraid to tell senior management – “that whatever we do to protect against the bad guys we will be hacked at some stage – we might have already been but we don’t know it yet – maybe we never will”.

Security professionals believe that the business will be hacked – there are no exceptions.

To the layman this sounds impossible but it’s not. Consider that a hacker can attempt to gain access to a system 1000’s of times, using different access points, different tools, automation, social engineering, Zero-day exploits. The attack vectors are endlessly growing. With all this fire-power they only need to be successful once – just once.

The security team defending the business must block all attacks 100% of the time which means knowing every exploit public or private including Zero-day, they need a team of incredibly skilled staff or third-party attacking the systems every hour of the day, every hole in the network must be identified and plugged, all devices are fully patched with the latest updates, the network guys know every single protocol used within the network, BYOD security is fully implemented and staff are all trained on social engineering and phishing concepts.

Does it now sound more realistic that it is almost impossible to stop a baddie from gaining access to your business systems? If so then why is 80% of the IT security budget spent on trying to stop the inevitable?

Should we not admit that our business will be hacked; apply the basic defensive security controls such as a firewall, segmented network, IDS, implement a very good patching process and educate our staff; then focus on how the business will detect, mitigate and recovery from a successful attack.

To find out how prepared your security staff are ask them the process on how to detect an intrusion, then mitigate and recover from the attack. Ask them if the process has been tested with a number of threat scenarios such as a malware attack that has encrypted all network drives, a DDOS attack, theft of the entire customer database, employee attack from the inside possibly using a “logic bomb”, loss of admin credentials and encryption keys. Ask the legal team what are the businesses legal responsibilities if there is a theft of PII data. The list goes on…

So instead of focusing on trying to stop the impossible, put in-place the recommended security defensive controls but focus your time and budget on working out how to detect and recover from a successful attack.