You probably know Larry Ellison as the founder and current CTO of Oracle. But he’s also passionate about sailing—although “passionate” may be an understatement. Scuttleboat Sailing News reports that Ellison spent an estimated $500 million competing in the 2013 America’s Cup. While this amount of money is way more than most organizations’ annual security budget, frightened CEOs are starting to spend more freely. The problem is, spending alone won’t win you the America’s Cup—or protect you from cyberthreats.
No IT organization has the overly generous budget that Team Oracle did in the 2013 America’s Cup race, but look more closely at why spending on America’s Cup racing seems so out of control and it starts to look a bit more familiar.
Universal rules once meant that all America’s Cup boats were built roughly the same. Teams had to rely on the skill of the crew to make the difference in competition. But over the years, technology has become more critical to winning. Sensors, real-time analytics and carbon fiber have created a technological arms race.
Similarly, a technological arms race is also taking place between IT organizations and attackers. Attackers are investing more and more in new methods. It’s now commonly believed that nation-states are also in on the act of stealing data from corporations. If we are to believe that North Korea and China are at the heart of the Sony and Anthem attacks, the scale of resources arrayed against IT security is unprecedented. To respond, IT organizations have been allocating more budget for security—but spending on security haphazardly won’t necessarily reduce risk.
So what’s causing this increase in security spending? There is a legend that any American skipper who loses the America’s Cup must offer his head as a substitute for the trophy. In the case of the breaches at OPM, Target and Sony it wasn’t legend – all of those breaches resulted in CEOs or the director losing their jobs.
These metaphorical decapitations, along with the growing number of assaults on companies, have prompted an 8.2% increase in security spending from 2014 to 2015, according to Gartner, resulting in $76.9 billion total.
This increased focus from the board room has lead to companies allocating more resources to security and to security startups experiencing a 26% increase in venture capital funding last year, according to CB Insights. But spending freely won’t solve all security problems. Organizations would be wise to consider security investments that focus on the most pressing threats first, and insider threat is one of the most serious.
In the Anthem breach, the personal information of almost 80 million Americans was accessed by an attacker who stole a database administrator’s credentials. Unfortunately, stealing these credentials may not be that difficult: In the CyberEdge 2015 CyberThreat Defense Report, 77% of security professionals admitted that they are not monitoring privileged users adequately. If organizations are spending more on new security measures, privileged identity management tools should definitely be included, especially since they have been overlooked in the past.
No matter how much technology you have, it’s important to remember that the humans behind the machines play an equally important role. Team Oracle came back from an 8-1 deficit, winning eight races in a row to retain the 2013 America’s Cup—one of the great comebacks in sports history. It’s tempting to point to unlimited technology spending as the explanation, but by the time of the race, it was up to a qualified sailing crew to use that technology well. Likewise, security teams are just as important as the technologies used to defend against attacks. Organizations shouldn’t just spend blindly—they should build strong security teams and give those teams the critical technology resources they need. That will be a winning combination in the fight against cyberthreats.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.