Without a doubt, the most frustrating fact I face every day is this: Companies spend a meager 4.7% of their total security budgets on identity and access management (IAM) – while compromised identities are responsible for 80 percent of all data breaches. Eighty percent. This glaring disconnect is almost more than I can wrap my head around.
Here’s the math: According to Gartner’s “Forecast: Information Security, Worldwide, 2015-2021, 2Q17 Update,” in 2015, companies spent nearly $84 billion on security. Approximately 4.7 percent of that ($4 billion) went towards identity and access management.
This year, the total security spend is projected to increase to $98.3 billion -- a whopping 17 percent increase over 2015.* That’s good news in that it suggests to us companies are taking security more seriously. Unfortunately, there’s virtually no increase in the IAM spend in terms of the overall percentage. It’s predicted to receive just 4.8 percent of the total 2017 spend.*
Looking out to 2021, $6.5 billion of what is projected to be a $132 billion spend will go towards IAM. That reflects a .2 percent increase going towards identity management over the six-year period.*
Now in terms of real dollars, there’s an undeniable increase, and that does give me reason for hope. But when you see the damage security breaches can do -- Equifax being the latest and perhaps most powerful example ever -- you have to wonder if it isn’t time for companies to reevaluate how they’re spending their security dollars. Especially when Verizon tells us in no uncertain terms that compromised identities are involved in eight out of 10 breaches.
So, What Are Companies Spending Security Budgets On?
According to the Gartner report, in 2016 companies spent just over $53 billion or 59 percent of their entire security budgets on “security services” including consulting, hardware support, implementation and IT outsourcing.* Now it goes without saying that all of these components are important in building an effective security posture.
In a perfect world, I would simply advise a bigger increase in overall security budgets to deal with the current avalanche of breaches. But that’s not realistic. Companies don’t have unlimited resources to allocate towards security, and as mentioned above, they’re already looking at a 17 percent* increase over the course of two years.
In lieu of that, companies need to take a step back and reevaluate where and how they’re spending their security budgets, and ascertain where they can get the biggest bang for their buck. I think many will be surprised.
While consulting services, hardware support and IT outsourcing are all very necessary, you have to ask yourself, “Are the dollars that I’m spending in these areas protecting my business, my employees, my data and my customers to the greatest degree possible?"
When you have 80 percent of all breaches happening due to a failure to adequately protect identities any dollars reassigned from any area within security into IAM would likely be better utilized.
The 10 Percent Solution
Resolving this problem isn’t rocket science. In fact, it’s pretty straightforward. If you don’t have the resources to increase your IAM budget -- which I would argue should be 10 percent of your overall security budget -- then it’s time to re-examine your spend and pull from security services or other areas to make up the difference.
I’m not suggesting that you drop security programs or gut budgets, but a little belt tightening in some areas could go a long way in protecting your organization in areas that are screaming for attention. Ten percent of your security budget dedicated to IAM could appreciably improve your security posture.
Not convinced? Learn how your stock price could drop 5% the day your company's breach is announced with this report.
*Gartner, Forecast: Information Security, Worldwide, 2015-2021, 2Q17 Update, 08 August 2017, table 1-2.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.