editor’s question
A?
RORY DUNCAN,
SECURITY GTM
LEADER, UK,
NTT LTD
ccording to NTT’s
global 2019
Risk:Value report
which explores
why organisations
are failing to make
progress with their
security, security budgets are failing to
keep up with increasing cybersecurity
risk. There has only been a minimal
increase in the percentage of IT budgets
attributed to security (15%), while the
percentage of the operations budget
attributed to security has fallen since
2018 to 16%.
While security spending has fallen, the
estimated revenue loss (following a
data breach) in percentage terms is up
year-on-year – 12.7% in 2019, compared
to 10.3% in 2018 and 9.9% in 2017,
according to the report. The cost of
recovery is US$1.2 million, on average.
During the current crisis, organisations
are being forced to adapt to changing
circumstances and prepare for a
post-COVID-19 world. With more
people working from home, the focus
is on trying to maintain ‘business
as usual’, supporting staff in virtual
work environments, complete with
collaboration tools, file sharing, video
and teleconferencing facilities. Security
processes and systems must be in
place to support this new structure
and ensure people can work remotely,
but securely and with confidence. As
a result, it’s likely that many security
projects or initiatives where budget
would have been allocated may have to
be put on hold.
Ensuring the security basics are in
place, such as patch management
(NTT’s Global Threat Intelligence Report
2020 shows that old vulnerabilities
remain an active target) and having
incident response plans in place that are
communicated to staff and tested on a
regular basis, is critical during this time.
Post-COVID-19 security budgets will
need to consider the implications of
supporting more remote workers for
longer periods, and the need to put
controls in place for these new working
models. For example, recognising the
unexpected spend to move people to
remote working, and other actions to
keep the business running, such as
replacing BYOD or home computing kit
with corporate-controlled devices, as
well as the consumption models of more
cloud-based services. There’s also the
question about how much office space is
needed in the future, and for whom.
Reverting back to my opening comments
about allocation of budgets for security,
what’s really interesting is the fact that
a global pandemic has changed the
way most of us work. Despite all the
disruption, changes and adjustments
we have had to make, businesses have
continued to function and security has
been an important part of this. This
will help CISOs in their board-level
conversations when it comes to securing
budget – it’s not just security, it’s
business investment.
The percentage
of the operations
budget attributed to
security has fallen
since 2018 to 16%.
28 Issue 27 | www.intelligentciso.com