Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
DECEMBER 2018CIOAPPLICATIONS.COM8Making theRight Investmentor us, our spending has continued to increase for information security over the past three years while our overall technology spending has remained flat. This area and the new data technologies have been the growth areas for us. In terms of legacy vendors versus newer technology, we have introduced a number of new technologies as the investment and innovation in information security solutions has really provided an impressive list of new entrants. There continues to be strong investment and a significant amount of innovation, but the focus of tools has shifted from protection -- which was deemed insufficient -- to faster detection and remediation capabilities. These have become a priority, for them and for us.The vector is still up on spending. CEOs and boards have to give their tech leadership the notion and impression of carte blanche: "What can you trade off to make room in the budget?" It was a trend in the past -- that new vendors will lower your costs and that technology costs can go down. That's not the case with information security. There is much more capability, but the overall spend is going up.There are a number of reports available today that quantify the average cost of a cybercrime breach. For example, the latest report commissioned by IBM pegged the 2015 consolidated average cost at 3.8 million dollars. There are a few law firms that specialize in supporting boards and companies that have been breached and they believe the number is higher than the number stated in IBM report. For example one law reported the average to be 7 million dollars. I think understanding the costs up front and having a dialogue with your board will help prepare everyone to assess the right mixture of investment in the information security function, the amount of insurance needed and the business risk the firm is willing to take. The long-term brand or reputation costs from a breach seem to be the most difficult to quantify and model.Orion is right, and in addition to knowing the number of endpoints, you have to have the tools to be able to understand what is happening on those endpoints. What software versions are installed, what is changing, what is being added. So to assess risk, the board should be satisfied that the management team has the tools and team to inventory and monitor the company's dynamic set of end points. Brad PetersonBRAD PETERSON, EVP & CIO, NASDAQFIN MY VIEW
< Page 7 | Page 9 >