Cybersecurity spending: more does not necessarily mean better
April 4, 2016
Last week, I had a great opportunity to explore the APAC cybersecurity market and meet many brilliant people during Black Hat Asia 2016. Singapore’s economic miraclemade its cybersecurity market as attractive as the North American one, attracting the largest security vendors to the region.
Advanced Persistent Threat (APT) protection, Threat Intelligence, Enterprise Immune Systems, Cloud Access Security Brokers (CASB), User and Entity Behavior Analytics (UEBA) – these are just a few of the offerings currently available on the cybersecurity market. I bet that many security industry professionals (including myself) hardly understand the real meaning of some of these terms, or to be more precise - the real difference between them and the generic terms existing for years. But this is a topic for a dedicated article, and in this piece we would rather concentrate on cybersecurity budgets and related challenges.
Cybersecurity budgeting should start with a holistic and comprehensive risk assessment. Once all threats and vulnerabilities are listed and prioritized, companies can proceed to properly managed RFP to select right security controls. A security control shall assure appropriate, efficient and continuous risk mitigation in accordance to corporate risk strategy and risk appetite. However, in reality things happen in much different and less effective way.