Enterprises seem to be getting the message that security posture cannot be measured by pocket depth as budgets get cut.
The annual PwC information security survey is always good for a host of key results. The 2018 report doesn’t disappoint in this regard. Only 49 percent of organisations conduct penetration tests yet 28 percent have no idea how many cyber-attacks they suffered last year. Or how about only 44 percent of organisations in the UK that formally work with others in their industry to reduce potential future risk of attack, compared to 58 percent globally? Oh, and only 53 percent have any cross-organisational team working on cyber-security issues within the enterprise itself. All of which would be food for thought, but when you also consider that security budgets have dropped by a third (from £6.2 million to £3.9 million on average) the analytical indigestion really starts to kick in.
Surely what is actually needed are deep pockets combined with better strategic thinking? If we are ever going to get on top of the security issue then it needs more money spent on better solutions, including areas such as education/training.
I can’t argue with any of that, apart from maybe the deep pockets bit. What is required would be better strategic thinking that bases the spend on actual need rather than assumed need. That way the pockets can be shallower and the security posture stronger.