The year since our previous Global Information Security Survey won't go down as one of the better years for information security. In fact, it may go down as one of the most grueling.
The payment card breaches hitting Target and Home Depot have been massive and the number of victims tallied in the hundreds of millions. The data breach bleed doesn't seem to ever let up. Most recently, nationwide sandwich shop Jimmy John's issued a breach notification. It's certainly not only payment cards that are getting hit hard, either. Healthcare services provider Community Health Systems Inc. reported theft of 4.5 million patient records over this past summer.
CSOs and their security teams were also forced to contend with many serious software vulnerabilities throughout the year. For instance, just last week, the news of the Shellshock vulnerability, the name given to a flaw found within the very widely used GNU Project's shell known as Bash, put many enterprises on notice. Because of the number of apps and devices that use Bash, the Shellshock vulnerability could very well surpass the year's previous most pressing vulnerability, Heartbleed, which was a flaw found in the way previous versions of OpenSSL encrypted data traffic between a client and a server. The attack vector in the Community Health Systems Inc. breach was attributed to Heartbleed.
With that as the backdrop of the 12th annual Global State of Information Security Survey 2015, conducted by PricewaterhouseCoopers and CSO, some of the results were to be expected, while others are quite surprising. For instance, if all of these attacks and high profile vulnerabilities have a bright side, it's that the board of directors at large companies continue to increase the amount of attention they pay to IT security. No surprise there. What is a surprise however is that IT security spending is down broadly by 4% year over year.
Respondents this year also say that they are detecting more breaches this year over last. The more than 9,700 security, IT, and business executives who participated in the survey reported that the number of incidents that they're detecting climbed to 42.8 million this year, an increase of 48%. According to the report authors, the compound annual growth rate of incidents detected annually increased 66% during the past six years.
The financial losses associated with those breaches are also (mostly) up, and trend (generally) by company size. Interestingly, small business reported that the cost of security related incidents is down 37% for them. Midsized organizations witnessed a more moderate bump, at 25%, while large companies experienced the largest increase. They're seeing a rise of 53% in security incident related costs. "Larger companies tend to have more regulatory costs associated with data breaches, and are liable to have more records compromised," says Mike Rothman, an analyst at the IT security market research firm Securosis. "I think that is driving a lot of the cost differential," he says.
Bigger data, smaller budgets
While security budgets may be down generally, interest in leveraging security analytics is not. Roughly 64% of respondents reported using big data analytics as part of their security programs. And of those that do use security data analytics, 55% said that it has helped them to detect more incidents.
Industry analytics aren't so sure how deep the benefits actually go. At least not yet. Javvad Malik, security Analyst at The 451 Group, says that he doubts many enterprises are harvesting much for their efforts. "This is just getting started at most organizations," Malik says. "Security information and event managers are collecting thousands of alerts a day, so the art is trying to make sense of it all. This is where big data platforms can help. But right now most CSOs are going to their vendors and asking how the data tools they have can help with that," Malik says.
"When people use the term big data security analytics, they could mean anything from traditional log management and queries to Hadoop to cloud services," says Rothman. "There are a lot of companies looking at how they can improve their security analytics in those ways, but how many are doing it in a way that is impacting operations? Not many. How many are spotting security events that they wouldn't otherwise know about, even less," says Rothman.
While promising, if the experts are correct, security analytics certainly holds promise for the future, but it's too soon to expect a payoff. So security data analytics certainly doesn't account for the broad drop in security budgets. In fact, with vulnerabilities and threats rising, as well as numerous big name and big impact breaches in the news throughout the year, one would expect security investments to have risen, not fallen or remained essentially flat. But that's what the report found. Small companies are reporting that they reduced security investments by 20%, while midsized and large companies have bumped their budgets by a near statistically flat 5%.
Why is this? It could be largely because information security budgets are beginning to blend into operations budgets as cloud computing initiatives begin to take root. "A greater adoption of cloud computing for enterprise applications and projects is the first reason," says Brian Honan, CEO at Dublin, Ireland-based BH Consulting. "This is moving many large IT projects away from being solely IT budget items to co-shared items with business units," he says. "We may also have witnessed a higher than usual investment in previous years in IT due to companies spending money in IT as the global economy started to recover," says Honan.
The numbers support this line of reasoning. In the previous year, which looked at 2013 spending, survey respondents reported increasing IT investments a whopping 40% and lifting information security spend by a jaw-dropping 51%. That looks like latent demand from the recession, to be sure. Unfortunately, we've yet to see a corresponding drop in publicly disclosed data breaches or in their associated costs. But there's always hope next year will be different.