I recently saw an article on Forbes that identified some of the major banks and how much money they will be spending on cybersecurity. We are talking about companies like Wells Fargo, Citibank, J.P. Morgan Chase. We are talking about budgets starting around $250 Million a year for cybersecurity. That is a big budget.
In information security it is common to hear questions about how much a company spends on security. There are random numbers thrown out that 10% of the IT budget, or 10% of the total budget should be reserved for security. We also see, with every breach that happens, people claiming that the company didn’t take security seriously. My initial question when I saw the article was “does this mean these banks take security seriously enough?”
The issue is that it is impossible to determine how that money is used. Great, you are spending $200 million a year, but what are you doing with that money? The number really doesn’t mean anything. It doesn’t help other companies determine how to increase their security. Is the answer just spend more money? No. The answer is spend that money more efficiently.
What I want to see is a break down of how that money is allocated.
How much of it is going to employee resources, hardware, software, monitoring, etc.
How much of that is focused on Firewalls, IDS, IPS, Antivirus and other controls.
Is that money used for training, Static or Dynamic analysis tools, scanning tools, 3rd party engagements?
I want to know what they are doing and what appears to be most effective. This information can then be useful to other companies that are still struggling with increasing their security.
Throwing big numbers around gets the user to be interested, but it is that breakdown of information that is what will help others improve their security.
Don’t stop short and just look at overall budget, or get hung up on just those numbers. Dig deeper into how that money is used. You can get the latest and greatest do all flashy light device for a lot of money, or you can get a little less flashy devices that may actually do a better job and be more cost effective. Lets get more discussion around what is actually working vs. what is not working rather than focusing on the size of your budget.