Enterprises Lack Threat Data For Security Budgets

The majority of enterprises seeking to develop their security strategy for 2013 are highly reliant on the annual threat reports compiled by security and Internet-service firms.

So says a new survey conducted by security-services firm Solutionary, which found that nearly seven out of every eight companies use the global threat reports created by firms such as McAfee, Microsoft, Symantec and Verizon to guide their security strategies.

Budget Justification

Almost 80 percent of the security professionals who responded to the survey use annual threat data to support their requests for budget increases.

By creating reports that are more useful for their customers, security software specialists and service providers can benefit by helping their customers’ security teams successfully argue for budget hikes, said Rob Kraus, director of research for the Solutionary Engineering Research Team.

“Through the history of security, we have always had that challenge of how do I justify this, how do I get the money, how do we tell our bosses that it is important, how do I let our C-level executives know that we need to do this to address a lot of threats out there that could cost us a lot of money,” he said. “Organisations are still having difficulty overcoming and obtaining budget.”

Solutionary conducted the survey to guide the creation of its own global threat intelligence report, gathering feedback on what its customers would like to see in their report. Nearly 180 companies responded to the questionnaire, but not all companies answered every question. There were a number of surprises, Kraus said.

Nearly nine out of 10 companies that do not currently use global threat reports in their security process would use the documents if there were more guidance on how to garner more budget for their security teams, Kraus said. The most important topic is how to conduct self-assessments and show companies’ current weaknesses, according to more than 40 percent of surveyed companies.

“The security professionals we have out there are fighting the fight and doing a good job, but maybe they don’t have the culture of security built into their environment so much that they actually need more guidance on how to secure that funding,” Kraus said. “That’s a staggering number.”

BYOD Threat

In the past, compliance has driven budgets for security, but increasingly companies are looking to improve their security posture, not just follow the letter of compliance regulations, he said. For example, this year a growing number of organisations asked Solutionary for help analysing malware, an activity not required by compliance regulations.

The most useful part of threat reports is the executive summaries, according to a fifth of the companies surveyed. Kraus argues that these shortened versions of reports are sent to executives to help make arguments for more money. About one-sixth of companies identified statistics on global threats as the most important information, and slightly less than that sought out specifics on identified threats.

The biggest threat on the radar for 2013 is the bring your own device (BYOD) trend, said Kraus. While companies gain productivity and lower costs when employees use their own information devices, they lack the security controls typically enforced on internal devices. In addition, distributed denial-of-service attacks are increasingly being used to mask other aspects of an attack.

“The culture of security needs to be ingrained in your organization, and it is not going to happen overnight,” Kraus said. “Security is a team sport, and we all need to know that we need to overcome the obstacles in regards to funding.”

Are you a security pro? Try our quiz!

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

View Comments

  • The individual assessment of security threats for each company has to be the most important thing as Kraus says. Companies shouldn't rely solely on threat reports as the CFOs need more specific information or they won't take it seriously after long - they need specifics. There are many aspects to consider ( http://ow.ly/grLix ) and the process will be difficult at first but the added credibility it will gain the CIO will be invaluable in the long run.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago