Information security budgets are falling despite a continuing rise in the number of attacks, according to a new report by management consultants PwC.
Detected security incidents have increased 66 per cent year-over-year since 2009, reaching the equivalent of 117,339 attacks per day, according to PwC's "The Global State of Information Security Survey 2015". The estimated reported average financial loss from cybersecurity incidents was $2.7m – a 34 per cent increase over 2013, according to PwC1.
However, despite the increase in attacks the survey found global information security budgets actually decreased four per cent when compared with 2013. Security spending as a percentage of IT budget has remained "stalled at 4 per cent or less" for the past five years.
“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” said Mark Lobel, a PwC advisory principal, focused on information security.
“It’s critical to fund processes that fully integrate predictive, preventive and incident-response capabilities to minimise the impact of these events,” he added.
David Robinson, chief security officer at Fujitsu UK & Ireland, expressed surprise at the fall in spending, as over the "last few months we have seen a huge amount of data breaches so it is shocking to hear that cyber security budgets falling".
"The threat facing every organisation is very real and also very hard to combat, so they can no longer afford to make errors when it comes to security," he added.
Darren Anstee, director of solutions architects at DDoS mitigation firm Arbor Networks, was also gobsmacked, arguing the importance of security needs to be sold to boards. Rather than security managers failing to make a business case for additional security tools and service, the fall is more a sign that the required dialogue is not happening effectively, he said.
"Businesses need to look closely at the risks they face, and the potential associated costs, so the value of security spending is appreciated throughout the entire management chain, all the way to board level. By investing in the appropriate solutions, training and processes organisations can minimise their risk, and reduce the longevity and cost of any breach," Anstee said.®
1Caveat - we've always thought estimating security breach losses is a hopelessly inexact science, for reasons explained here that still broadly hold true.