There was a great quote in a recent Ponemon study sponsored by Cenzic and Barracuda: “Most organizations have been hacked, yet 88 percent still spend more on coffee than on app security.” Combined with the recent revelation that oil companies and components of our national infrastructure have been compromised (see McAfee’s Global Energy Cyberattacks: “Night Dragon” for more information), this should be cause for significant alarm. Aside from funny quips like the one above, there are massive tangible costs associated with the recent breaches. One of the most shocking losses is the cost associated with US fighter jet technology. It’s estimated that China “saved” over $20 billion in the development of its latest stealth fighter. Although not publicly discussed, it’s commonly acknowledged that China’s advances were due in large part to lapses in US information security. What’s scary are the breaches that we are hearing about are occurring at organizations that spend significantly more than average on information security. While each has its issues, the military spends massive amounts on information security and large oil companies tend to allocate security significant budget dollars. In addition, the breaches at the oil companies were fairly simple: break in through externally available web applications and step through to confidential information and critical processes. Most of the attacks in the McAfee report were based on existing and commonly used tools. If highly profitable companies that spend significant amounts of money on information security are being breached, it shows how massive the problem is that we are facing and how difficult it will be for smaller less profitable organizations to confront. In the past, when I spoke to what might be considered an ordinary mid-sized business (one that didn’t think it had significant security needs) like manufacturing or healthcare, the response was often “who would want to break into our environment.” Unbelievably, these comments can still be heard within the IT groups of Fortune 500 companies; however, with breaches at organizations like Minneapolis’ Valspar (a Fortune 500 paint manufacturer which had its paint formulas stolen) corporate boards are beginning to understand the risk related to information security within IT and this is one of the keys to addressing the problem. Corporate boards need to wake up to the massive problem, fund information security, and demand more information about their organization’s posture on a regular basis. Since boards are usually not made up of IT or security experts, it’s the responsibility of Information Risk, Security, Audit, and IT to provide them with tangible information about security and risk posture. While boards could ask for the coffee vs. security budget ratio, there are better ways to look at this and budget for this. However, making the point to a non-IT oriented board takes tangible events and understandable facts. As the recent reports and news articles show, the events are happening. It’s up to boards, executive management, IT and information security to understand the facts and plan / fund appropriately.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.