Even with ransomware being a consistent topic in the news, do you think most companies are still approaching security as a “nice-to-have”?
Sort by:
If they have ever had an attack, they're probably more open to security spending, but I think you have to say, "These are the tools; this is what we need to do. I can't exactly tell you what it will save for you, but I know that a cyber attack is a brand issue." When your company gets attacked, you have a serious public relations issue you need to deal with. And they'll be receptive if they've either been in that situation, or if they had something big happen in their area recently that's caught their attention. But it is a challenge. There's a real tendency to keep saying, "We'll do it next year."
Security does tend to be a nice-to-have. Oftentimes, even if you want to do an assessment, it gets trumped by something that's clearly generating revenue, like sales. For smaller companies, resources are very limited and early on you tend to be focused on revenue growth first, then security. You almost have to come up with a policy where you do an assessment every three months. It just becomes one of your standard operating procedures (SOPs).
As far as compliance, etc., I can sell that to the board: “We need to be SOX compliant. We need to follow these SOPs in order to meet all these compliance needs.” But when it comes to potential threats, if I say, "We could potentially get this so I need to spend the money," they're not receptive.
I’ve noticed in a few companies I’ve worked for—smaller-sized organizations—that CIOs and CTOs do not treat security as an absolute necessity. We know we need it, but we have so many other priorities to fund. These ransom attacks are increasing, but what's the price of the companies that are impacted? We'd rather take a risk rather than protect ourselves from something that may or may not happen.
Most of the times security is not seen as something that generates revenue. Small to medium businesses are focused on growth and how to make sales. Unless you are regulated or required to be compliant to some security standards to be able to do business in a certain area(state, industry) or with a vendor, companies don't invest adequately in security.
Now as organizations grow they are starting to realize the brand impact of being hit by ransomware or the penalties by leaking PII so they start to invest more and more.
Interestingly, the security budget always get enough funding after a security breach.