Are organizations getting good value from security investments?

In the recent research conducted by Gartner, it is reported that the estimated worldwide spending on information security products will exceed $124 billion in 2019 (Source:  https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019). Taking a closer look at the numbers, almost 80% will be spent on Infrastructure protection, network security equipment and security services. For most organizations, such spending would provide a strong sense of security.

However, looking back at the year, we see one organization after another biting the dust as far as safeguarding critical data is concern. Facebook, British Airways, SingHealth, Uber and the list goes on… How is this possible? If you look closely enough, the answer lies in the same Gartner research. It is projected that only 3% (or less) will be spent on Data Security despite the relentless attempts to steal precious data.

According to Accenture, Ransomware which hogged most of the headlines did not even made it to the top 3 of the most costly attack types, costing organizations only half when compared to the threat by malicious insiders (Source: https://newsroom.accenture.com/news/cybercrime-costs-financial-services-sector-more-than-any-other-industry-with-breach-rate-tripling-over-past-five-years-according-to-report-from-accenture-and-ponemon-institute.htm).

Ponemon Institute ran another study on the average cost per size of global data breach that puts the price tag at $1.9 million for every 10,000 records stolen, rising to $6 million for over 50,000 records breached.

While securing the perimeter, network and endpoints are absolutely necessary, organizations need to rethink their priorities and evaluate where they will realize the most value vis-à-vis their cyber security investment. By merely focusing on mitigating threats within the same attack surface will inadvertently leave your crown jewels exposed and vulnerable in the era of big data. As Einstein put it plainly, insanity is doing the same thing over and over again, but expecting different results.

This presents encryption as viable option for any organization’s last line of defense against theft of sensitive and critical data by external and internal threats. Data-at-rest encryption is also widely accepted and endorsed by global regulatory bodies such as PCI DSS and GDPR. While encryption technology has its detractors, it has significantly evolved to address potential performance and environmental impact to become a compelling solution for securing data-centric businesses.