BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

A Deficit In Security Spending Has Led To A Massive Security Debt

This article is more than 8 years old.

Every IT department has struggled for years to justify spending on security. Various models have been used with more or less effect to encourage upper management to open the coffers. Return on Security Investment models attempt to quantify the money saved from preventing future breaches. The factors cited include: cost of lost productivity, the direct costs of notification in the case of a breach that must be reported under 45 different State laws, and the hardest to quantify of all, loss of trust or brand value.

Obviously these attempts to justify security spending are failing. How could organizations that should know better still be suffering major breaches? The theft of 21.5 million highly confidential records of government employees, past and present(and that of their families) from the Office of Personnel Management is only the latest, most egregious, example.

In response to the OPM breach, on June 12 the Department of Homeland Security (DHS) initiated a cybersecurity “sprint” to identify critical assets, hunt down intruders, and remove them. What they will find is that the Federal government has to pay down  a massive cybersecurity debt.

Here is what I mean by cybersecurity debt. One measure of spending is percent of overall IT budget devote to security. It is useful because it can be looked at across sectors and help identify best practices. The very best organizations spend as much as 8% of their IT budgets on security. My thesis is that organizations that under-spend on security are accumulating a cybersecurity debt that will have to be paid back. If they have been spending 2% of their IT budgets on security and the best in their sector have been spending 8% then they are accumulating cybersecurity debt at 6% per year. Of course IT budgets increase every year, sometimes by as much as 10%.

Lets look at a simple example: Five years ago a widget manufacturer had an IT budget of $1 million. Each year, as they automated plant reporting, upgraded the network, and bought new PCs, that budget increased by 10% so that after the end of five years they were spending $1,464,100 on IT. If they spent 2% of their budget on security that would be $20,000 in the first year and $29,282 in the the fifth year. If the best practice is to spend 8% they are operating at a security deficit of 6% or $60K that first year, up to $87,846 in the fifth year for a total of $366,306 that they did not spend on security over the five years.

To avoid the inevitable breach that shuts them down for a month, or puts them out of business altogether, they have to pay down that security debt. That means spending 25% of their IT budget on playing catch up (336K/1,464K). Sometime in the future they can revert to the 8%.  Luckily, security technology has evolved dramatically in the past five years. Tools for continuous network monitoring, advanced multi-function firewalls, strong authentication, even better encryption, are available today at lower cost and much higher value. So, it may be possible to lock in some of that underspending and attribute the overall savings to blind luck, the same way I once forget to renew my license plate for three months and the DMV only charged my for the remaining nine months of the year. I risked getting pulled over and suffering thousands in cost and fines and saved $35.

When you transpose these numbers to a large organization you can see where the problem arises. Government agencies notoriously underspend on security. OPM’s total budget is almost $2 billion. According to recent budget justification documents OPM spent about $51 million in 2014 and 2015 on IT, including about $7 million on salaries.  At the very least, considering the sensitivity of the data OPM is responsible for, they should be spending 8% of that budget on cybersecurity, or $4 million today. Just from observing the tip of the iceberg, the fact that the breach was discovered by a vendor during a demo of their product, the fact that they still do not know the full extent of the breach or how long ago it started, or even if there have been other breaches over the last ten years, the horrible report from an internet audit, we can assume that OPM has accumulated a large security debt. Using the same model as above, I get $15 million.

Interestingly, OPM recognized the need to spend more on IT security after a breach in 2014, presumably the breaches suffered by two contractors, USIS and KeyPoint Government Solutions, as well as the March 2014 breach of OPM. The most recent budget justification

submitted in February highlighted security as the primary concern. The 2016 budget request increased IT salaries by $24.5 million (from $6.9 to $31.4 million). The increase is probably associated with the stated plan to staff a 24/7 Security Operations Center (SOC).

OPM has claimed that they learned of the latest intrusion in April, 2015, and in June learned the breach extended to the background investigation records of current, former, and prospective Federal employees and contractors. Yet, OPM had already submitted a budget to pay down its security debt in February! Someone at OPM must have had a really bad feeling about their lack of security.

Going further, Gartner pegs total IT spending globally at $3.2 Trillion and IT security spending at only $70 billion, or 1.8% of IT spending. The world as a whole has a lot of spending to do to pay down cybersecurity debt.

The lesson learned from OPM and other high profile breaches is that many organizations have been under-spending on security. It is time to pay down the security debt. Doing so on the installment plan is much less painful than making a balloon payment post-breach.

UPDATE: Reach this column by Chris Wysopal, co-founder and CTO of Veracode, for similar ideas of security debt for application code. Written in 2011.

-------

 

Follow me on LinkedInCheck out my website