According to market forecasts, more companies are investing in cybersecurity and that spending is likely to increase dramatically in the next few years.
MarketsandMarkets has forecast cybersecurity growth at $170.21 billion worldwide by 2020, up from $106.32 billion in 2015. This outlook includes both technologies and services, such as those offered by managed security service providers. North America is expected to have the largest cybersecurity spending and adoption, followed by “significant growth” in Latin America and Asia Pacific, according to researchers.
In the United States, President Obama put forth a Cybersecurity National Action Plan in February 2016 that if approved, allots $19 billion to cybersecurity across the federal government (and private sector) as part of the Fiscal Year 2017 budget—that’s a 35% increase over the FY 2016 budget. The Office of Personnel Management breach, discovered in April 2015, which exposed the personally identifiable information of federal employees (and interviewees) may have added to the sense of urgency. A $3.1 billion Information Technology Modernization Fund aimed at updating government technology and cybersecurity efforts is also part of CNAP.
It sounds like a lot of money, but you might still wonder whether cybersecurity spending is too low. That’s often the case in the private sector, despite analysts’ rosy forecasts. Many companies don’t spend money on cybersecurity until there’s a security incident and the curtains are pulled back. The Bangladesh central bank breached by hackers in February to the tune of $81 million was using “second hand, $10 switches” and lacked firewalls in its local networks, said law enforcement, when those systems interfaced with the SWIFT financial messaging platform, according to several published reports.
Organizations may not invest in cybersecurity because the returns (savings) do not directly influence the bottom line. Is the new technology or service worth it? Configured and tuned correctly? Monitored by skilled staff?
Centralized security management may also play a part. As Adam Rice, global CISO at Cubic, noted in his article, “Can cybersecurity spending protect the U.S. government?” increasing technology investments isn’t the only answer. CISOs need to be put in place and given the resources and support to effectively do their jobs.
For some companies, ‘rent’ a CISO programs (offered by IBM among others) may provide help building security programs—and prioritizing cybersecurity investments. Board-level cybersecurity discussions and handwringing may not increase spending until a security incident forces greater investment, however. And even then, the return on investment is a bit of a crapshoot.
As Senator Angus King (Ind.) of Maine said recently on Bloomberg’s “Political Capital with Al Hunt” when asked about former Security of State Hillary Clinton’s email controversy, “The irony is that the State Department’s servers were hacked and hers wasn’t.”