But where do you start and what should be the focus? A recent Gartner report says detection and response plans should be the top security priority for organizations. Prevention is no longer the primary focus of a cyber-security program; it’s a matter of quickly detecting breaches and having a plan in place to respond and mitigate. “The shift to detection and response approaches spans people, process and technology elements and will drive a majority of security market growth over the next five years,” said Sid Deshpande, principal research analyst at Gartner.
Boards should expect a shift in the cyber-security spending recommendations from their CISO in the coming year beginning with human capital. Because prevention has been the focus in the past, people skilled in detection and response are scarce and their services are expensive. On the equipment/software side, the need for better detection and response has created new security product segments, such as deception, endpoint detection and response (EDR), software-defined segmentation, cloud access security brokers (CASBs), and user and entity behavior analytics (UEBA). These new segments are creating net new spending but are also reducing spending on existing segments such as data security, enterprise protection platform (EPP) network security and security information and event management (SIEM). According to data gathered from Gartner, organizations spend an average of 5.6% of the overall IT budget on IT security and risk management.
Not only is the focus of cyber-security shifting, but the analysis of a successful system is changing as well. CISOs are measuring their security strategy in terms of the business value associated with quick damage limitation, in addition to threat prevention and blocking. The goal is to get better visibility across their security infrastructure to make better decisions during security incidents. This visibility will enable them to have a more strategic and risk-based conversation with their executive team and their board of directors.
Expect to see these shifts in focus from prevention to detection and response when your review your company’s cyber-security strategy. And don’t be surprised if information security is a larger line item in your next budget review. Worldwide spending on information security is expected to reach $113 billion by 2020.