How best to utilize your 2020 security budget? Here are a few recommendations from those in the know
The new year is a chance for a fresh start, and for many organizations, that fresh start comes with a new budget and spending agendas. According to research by IDC, businesses spent more than $106 billion in security-related hardware, software and services in 2019, a jump of more than 10% over 2018. The spending is expected to continue growing at that rate for the next few years. Driving the spending increase is the rise in threats, changing priorities and experience with a past security incident.
Security Budget Spending Tips
That security budgets are growing is the good news. Determining how to best spend those extra dollars is the issue. There are so many choices out there and no two companies will have the same needs. But here are a few tips from security professionals on how to best approach your 2020 security expenditures.
Understand What You Already Have
At present, we have too many resources to manage, and with a push toward immutable infrastructure, we have a different velocity and paradigms to consider, said nVisium CEO Jack Mannino. To better update your security system you need to understand what’s deployed and that at-risk generally spans many layers, from code and software development tools to cloud and infrastructure, third-party services and data brokers your systems interact with. Once you do, he said, investing in asset inventory and automated remediation capabilities are important.
Focus on Data Protection
“The most important security program for any organization in 2020 is data protection,” said Salah Nassar, vice president at CipherCloud. If you already have a data protection program, consider expanding it, and if you don’t have one, this is the time to build one. Why? Cloud adoption, which has made data the new perimeter, as it is outside the traditional controls of on-prem security and managed endpoints. Large amounts of data are being created, shared and accessed in the cloud through any device that has a web browser with access to cloud apps from SaaS or IaaS, both public and private. “With new and stringent data regulations backed by governments and heavy fines, every organization collecting personally identifiable information (PII) is now regulated,” Nassar added, which makes data-centric solutions even more necessary to protect consumer data and avoid large fines.
Rethink Your Perimeter
New emerging technologies and methods are making the environment far more complex than it was with just antivirus and firewall solutions decades ago, Felix Rosbach, product manager at comforte AG, noted. Because the attack surface has shifted, traditional perimeter defense is less effective. Again, it comes down to focusing on the data first and making it useless for attackers, rather than focusing on protecting the network perimeter. That means protecting data at the earliest possible point and de-protecting it only when absolutely necessary. “This is especially true for cloud and hybrid environments where sensitive data moves between a variety of systems and independent of any technological or political borders.”
Invest in People
Cybersecurity in companies of any size is in direct relation to how much they invest in it—and it will become an appropriate investment if it encompasses economic and human factors. “Understand the human factor is not only about security awareness and the like; the real value lies in IT security expertise,” said Rui Lopes, engineering and technical support manager at Panda Security. Invest in cybersecurity staffing and training for all employees.
“The struggle is real when it comes to ensuring that company personnel are given the appropriate access to the right resources at the right time,” said Heath Renfrow, director at the Crypsis Group. “There are industry-leading solutions to help companies with the identity and access management challenge, which will help significantly reduce the risk associated with this complexity.”
While you are thinking of how to improve access control with new IAM solutions, you may also want to take a fresh look at upgrading authentication options. The time has come to stop depending on passwords and look at new, password-free options, according to Fausto Oliveira, principal security architect at Acceptto. “Secure, passwordless solutions that use continuous biobehavioral authentication will prevent the most common of the security incidents, the account breach,” he said. “A passwordless authentication solution that has good integration with risk analytics; implements good account takeover protections; takes into account the user’s biobehavioral context when granting or denying access to a resource; and integrates with a next-generation risk engine is the ideal solution.”