IT professionals are under pressure to simultaneously keep things ticking over and innovate, and nowhere is this more true than in cyber security. But how much should companies be allocating to cyber security innovation?
It’s a tricky question for many reasons, but Accenture’s security team have an answer: 10 to 15 percent of the total security budget.
Innovation is expensive and risky. There is an old saying in IT that says “nobody ever got fired for buying IBM”.
In cyber security, perhaps the equivalent safe options are products such as firewall and endpoint protection. In fact, recent Accenture research found that executives continue to invest in these products even though they consider other threats that are not blocked by these solutions more dangerous.
In Accenture’s High Performance Security Report 2016, surveying 2,000 security executives representing large enterprises, 53 percent said that the insider threat had the most impact materially on their business.
However, as Kevin Richards, managing director of Accenture Security, North America, tells CBR, this was not reflected in purchasing decisions. Most respondents were spending the majority of their budgets on network and endpoint perimeter defences.
This figure may be nothing surprising; perhaps the reason the insider threat is considered more severe is that others are routinely blocked.
However, more strangely, asked what there they would direct spending if they were given more money, 54 percent said network and endpoint controls.
Of course these basics are necessary, but this attitude could be stifling cyber security innovation and preventing these organisations from becoming what Accenture terms “high performers.”
Part of the solution is simply cold hard cash: according to Richards, the highest performers are spending about five times more than low performers on their security budgets as a percentage of their IT spend.
But also crucial is the overall direction of investment. According to Ryan LaSalle, Global Managing Director of Growth and Strategy at Accenture Security, the companies that are getting better returns are also those that are looking at more advanced technologies. Examples of these could include behavioural analytics, cloud-based security or machine learning-powered security solutions.
“Because budgets have been very tight, there’s the conservative attitude that this dollar must be perfect the first time,” adds Richards.
Security professionals might understandably feel pressure to invest only in technologies that have been proven, either through adoption by competitors or simply through market longevity.
However, the best performers are piloting new ideas on a regular basis.
“They are doing it in pure lab type settings to push the envelope. One of our clients has a really robust labs function where they are trying to look ahead three or five years.”
Richards emphasises that not all these ideas have to succeed. He cites a quotation of lightbulb inventor Thomas Edison: “I have not failed. I’ve just found 10,000 ways that won’t work.”
So what would an innovation budget look like? The first step is to get a budget, however much, that your organisation is comfortable risking and possibly losing.
“It is about having the luxury of saying, these three [technologies] didn’t pan out but these two were really important,” says Richards. “If you are pushing innovation, it shouldn’t all be perfect.”
He adds that this is simply treating security innovation like any other type of innovation. Nobody, for example, expects a manufacturer not to take risks.
The 10 to 15 percent figure that Ryan LaSalle offers as a guideline comes from cutting down to a large extent the amount spent simply on maintenance.
“Organisations moving into digital are often burdened with operations and maintenance of stuff they’ve already put in place and have less and less to spend on new things,” says LaSalle.
He says that these companies often end up spending 60 to 70 percent on operations and maintenance. That leaves 30 percent for new areas.
“That’s not enough to innovate,” says LaSalle.
The goal is to get the maintenance spend down to around 40 percent.
“Then you’ve got headroom for new programmes that you know are going to scale,” he says. These new but non-risky programmes can get 45 to 50 percent, leaving 10 to 15 percent to spend on the risky innovation.
“Some of that innovation will be things you can inject into existing programmes,” says LaSalle. “There’s strategic innovation that says these are the things I haven’t been able to solve yet so I’m going to focus my experimentation here.
“Then there’s opportunistic stuff: a new threat comes out; I need to find something to mitigate it.”
Richards says that 10 to 15 percent would be a “phenomenal” innovation budget, although the average is more like 7 percent. He suggests another way that the budget could be worked out:
“Learn from other parts of the business. How did corporate counsel, manufacturing, product divisions do it?
“If the business in general has an innovation strategy, just mimick it.”
However much ends up being spent on cyber security innovation, the message from Richards and LaSalle is clear: the key to success is not being afraid to fail.