The right (and wrong) ways to spend your security budget

Remember renting VHS videos, wearing Doc Martens, and listening to grunge on the radio? While the 1990s are just a dim memory for most of us, they live on in data centers for many large enterprises. A surprising number of IT organizations are still taking network access logs and parsing like it’s 1999.

Back then, everything lived on servers behind a firewall inside your data center. Software came in a box, and you installed it on racks of machines you owned. You could identify all the clients on the network, so you could control access to apps and data pretty tightly. Your biggest worries were insider threats, accidental data breaches, and the occasional malware train wreck like the Melissa Virus.

Fast-forward to today: Your line-of-business software is sitting on someone else’s servers in the cloud. Your employees and maybe even some of your customers are accessing it via a web browser or a smartphone app. Your endpoints are everywhere, and your worries have shifted from your network to any of the 3.2 billion people on the Internet who might have malicious intent.

The good news is that as threats have increased in number and scale, so have security budgets—companies are investing more in security than ever before. The bad news is that if you don’t invest in the right places, your threat surface may continue to increase. As you ponder your own security investments, consider these four essential truths.

Your worries have shifted from your network to any of the 3.2 billion people on the Internet who might have malicious intent.

1. App breaches are on the rise

Today, an increasing number of breaches happen via apps, yet the majority of IT security budgets are still spent securing the network. The target is now at the application level, which has become the gateway to your data. While no one is saying you should abandon your network security spend, you need to prioritize your budget and make sure the money flows where it will have the greatest impact.

2. Identity and access control are key

The two most critical areas of security in the digital transformation era are the ability to verify the identity of any user in any location and to protect the application no matter where it resides. In other words, you have to secure both access to the application and the application itself. The network is merely a component of that, not the primary focus.

3. You can’t secure what you don’t understand

Visibility and context are key. You need to know what your apps are doing and if they’re acting the way you expect them to, because the first sign of a breach is often aberrant behavior in your apps. That means you need to be able to decrypt all your traffic and control all the functions and subfunctions for each protocol—HTTP, SSL, and DNS. Without visibility into processes and a contextual understanding of how your apps operate, you’re operating blind.

200,000

Two-hundred thousand more open cyber security positions exist than there are bodies to fill them.

4. The demand for talent outstrips supply

Corporations’ appetite for better and more functional apps is almost infinite; the supply of experienced app developers is not. Newbie developers, under pressure to produce apps in greater numbers and more quickly than ever before, are far more likely to introduce flaws. Meanwhile, security pros who can flag the flaws and mitigate the damage are also in short supply; current estimates say there are some 200,000 more open cybersecurity positions than there are bodies to fill them. Inexperienced developers coupled with a lack of experienced security pros is a disaster waiting to happen. If staffing is a problem, consider partnering with a service provider offering tools like dynamic application security testing (DAST) that can automate testing to protect against existing or new vulnerabilities.

Bottom line:

If you’re like many companies today, you’re probably spending the majority of your security budget on your network. You may be leaving yourself vulnerable. But there are things you can do. First, make sure you’re focused on app security; protecting user identities and app access are your top priorities. You’ll need to gain visibility into all your traffic, including encrypted data, and establish baselines so you can identify anomalous behavior. Finally, if you don’t have the app security expertise in house, look for a partner who can step in and provide the protection your enterprise requires.