Is your Firm Spending too much on Information Security?

In many organizations  an environment exists where awareness about the need to protect critical information is high but uncertainties persist around the necessary, practical steps required to truly better protect an organization. Without a cyber security strategy in place, companies often fall victim to mis-allocating their investment in cyber security, over-protecting non-sensitive data or under-protecting critical data.

A report ( suggests businesses may be spending too much on IT security by over-protecting non-sensitive data.

Ross Parsell, director of cyber strategy at Thales UK, warns that, while the volume and scale of cyber-attacks show no signs of slowing down, there is a danger that resources are sometimes assigned to areas that do not need them.

Vendor-neutral security audits are an important way for companies to get a measure of their risks and the appropriateness of the controls they have instituted.

It is important for businesses to conduct regular information audits to categorize information by value. If managers don’t understand the business value of the information that they hold, it is likely that they are over-protecting non-sensitive data and/or under-protecting critical data. Through a more intelligent approach to security, there are  cost savings to be achieved by securing information at the right level.

The issue then becomes how the organisation selects the most appropriate technology and vendor to meet their demands.

There are three common causes for IT security budgets being spent on the wrong things:

1. The press. Technologies that are being talked up by the media can result in security budgets being redirected into technologies that address one issue, but do not cover other threats.

2. Technologies that the information security team find interesting. Just because our trusted specialist staff says we should be doing something, doesn’t necessarily mean budgets should be diverted from elsewhere.

3. Vendor-driven proposals. There are many examples of vendors presenting their solutions to CIOs and being greeted by the reaction, ‘we really should have this’. But, stop and think why this threat was not a consideration before and do not be driven to a solution just because it looks like a good thing to do.

There seems little doubt that security budgets are not being allocated effectively, going by the number of data breaches we read about in the papers.  If the organization doesn’t understand where the real-world risk to their data lies – an efficient allocation of financial resources will not be achieved.

Speak Your Mind