It’s virtually impossible for any large organization to have effective cybersecurity without spending money. There is, of course, an array of free software one could use to make it harder for enterprise systems to succumb to a cyberattack. Nevertheless, such bootstrapping is perhaps best left to small and micro organizations. It can only offer so much protection.
Once an institution attains a certain degree of process, procedure, and technological complexity, cybersecurity spending can no longer be an afterthought. Large corporations have to dedicate a substantial proportion of their budget to security each year.
Nevertheless, cybersecurity spending is not immune to the law of diminishing returns. Beyond a certain point, the amount of money spent on IT security won’t deliver commensurate benefit for the business. How do you know when your cybersecurity spending is over the top? Here are the key pointers.
There’s a free or cheaper equivalent solution
As previously mentioned, you must be ready to spend if you want to have a robust defense for your enterprise’s systems and data. That though doesn’t mean you have to pay any price for all things security. Evaluate the cybersecurity tools you intend to purchase. There may be an equally effective competing product available for free or at a cheaper price.
Remember that the price of a software or hardware item is not based on its functionality alone. A product from a major brand may be priced higher than the rest of the market not because of what it can do but the name it bears. Keep an open mind and make sure you are primarily paying for functionality only and not the name.
Duplicate or overlapping solutions
This is a fairly common problem in very large organizations. Different departments or business units may inadvertently find themselves working in silos. In some corporations, the procurement officers in each business unit have considerable autonomy. They have the power to choose the product they deem best without consulting the CIO or the head office.
The result is, for instance, multiple antivirus products in use by different arms of the same enterprise. Often, there’s a flat purchase price for a tech product as well as a per-device fee that ensures higher savings the more the devices you apply the product to. By failing to adopt a centralized approach to technology procurement, the business misses out on the potential savings it could enjoy by negotiating for and acquiring a single enterprise-wide solution.
Risk not commensurate with expenditure
No large organization is immune from a cyberattack. But let’s face it — the probability of an attack is dependent on the attractiveness of the target and the potential payoff. A large multinational bank is a far more attractive target than an international humanitarian organization. It, therefore, doesn’t make financial sense for the humanitarian organization to acquire IT security systems of equal sophistication and rigor as the bank.
This is why a comprehensive risk assessment is necessary before you embark on cybersecurity spending. Establish what cyberthreats you face and what would be the potential impact on the organization if they materialized. You could start by looking at the kind of cybersecurity incidents that have affected entities in your industry. That way, your tech spending will be commensurate with your enterprise’s cybersecurity risk landscape.
You’re paying for unneeded functionality
Many tech vendors will not only talk up the wide range of features their product has but will also highlight the ‘free’ software from their business partners included with the purchase. These extras will even have their monetary value indicated to give buyers the perception of an excellent bargain. It’s all a smokescreen though.
The vendors use the extras to convince you to pay more for the core product than you need to. So, be wary of any product that includes plenty of free third-party applications that you either already have or will never need. They are never really free but have been factored into the overall price of the product.
You are replacing cybersecurity solutions almost every year
How often do you purchase new cybersecurity software or hardware? Technology is constantly changing and new threats are discovered each month. It makes sense for organizations to regularly upgrade their existing security infrastructure in cognizance of these newfound vulnerabilities. However, something is not right if you have to replace your security systems every year. Doing so is not only expensive but also a sign that you probably had not thoroughly defined your security needs before you went out to look for an appropriate product.
Enterprises should purchase tech solutions with a medium to long-term view. Always buy cybersecurity solutions that will be fit for purpose for the next three to five years. There will be times when it will not be practical for you to wait this long for a replacement (for instance, if you discover a major flaw in your existing security system or unearth a serious threat that your current solution cannot tackle). But these kinds of exceptions should be just that — exceptions.
Throwing technology at every problem
The terms IT security, cybersecurity, and InfoSec, are virtually synonymous with the sophisticated software systems built to secure technology infrastructure from malware and unauthorized access. It, therefore, isn’t too surprising that one of the first things business executives will think about when faced with a cybersecurity problem is how to procure appropriate systems to plug the gaps.
In reality, though, plenty (perhaps a majority) of cybersecurity risks are best resolved through procedural changes as well as tweaks to existing enterprise systems. Major software vendors (such as Microsoft, Oracle, Google, Adobe, and Amazon Web Services) take security seriously. Their reputation depends on it. As long as you promptly patch your systems, you’ll have done most of what you need to keep your organization’s infrastructure secure.
Cybersecurity spending: Pay only for what you need
In many ways, cybersecurity spending is not too different from any other enterprise expenditure. You have to take the necessary precautions to ensure that you only spend on what you truly need.
Featured image: Shutterstock