You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.
I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.
Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies
Figure 1 courtesy of 451 Research
The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).
Beyond the top 7, the next tier of choices represent a little more diversity:
Figure 2 courtesy of 451 Research
What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.
I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.
Bringing up the rear in the survey were the following:
Figure 3 Courtesy of 451 Research
You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.
Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.
What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.
My full conversation with Wendy is here:
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.