Security budgets are too low that's for certain. While companies spent roughly $300 billion worldwide on Y2K remediation, only a fraction of that amount is being spent on security. Analysts at IDC estimate that worldwide spending on corporate digital security this year is less than $25 billion, including costs associated with people, products, and services.
When considering the comparison, it's also worth noting that the Y2K issue focused on a fairly specific set of threats within a finite period of time. Nevertheless, companies established cross-functional task forces, reallocated budgets, and as a result, most survived Y2K with reputations and systems largely intact. By contrast, in spite of the increased awareness of security issues after Sept. 11, 2001, business and financial managers still don't fully appreciate the business value of a sound digital-security strategy. Unlike Y2K, security threats are neither predictable nor finite. Their impact can range from terribly inconvenient to horribly catastrophic. When a security breach occurs, a company's liability, privacy, reputation, and ability to survive are compromised. And companies tend to assign responsibility for security to the IT department, even though risk is distributed throughout the business units. (See related article on an integrated enterprise approach on p. 38).
Why is so little invested in the protection of hard-won customers, valued employees, and critical assets?
For one thing, security-budget decisions are complex. To justify a long-term and appropriate level of investment in security, members of the security community consultants, influencers, integrators, and vendors have to do two things: communicate better with corporate executives, and establish a credible economic basis for security investments. Top management understood the dangers of Y2K disruptions to their business; they have to feel the same way about ongoing security risks.
Unless business managers change their thinking about security, the budget will continue to be inadequate. To begin the conversation about how security helps reduce risk and actually supports financial goals, technical and business management must first speak the same language. The technical team has to become fluent in the language of business, able to converse about assessing corporate risk as it pertains to digital security.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
