McAfee report estimates that mid-sized businesses in the U.S. spent $17.2 billion fixing IT security incidents in 2008.
How much should a midmarket company spend on security? Am I spending it on the right technologies? How much time and effort should their IT people devote to it?
“The Security Paradox,” McAfee’s global survey of mid-sized (51-1,000 employees) companies raises some interesting questions about the balance between the money and manpower they invest in security on the one hand, and the risk, on the other.
Before we go too far, the report is a little thin on the ground. Only about 100 companies were surveyed in each of nine countries. So, maybe a good sampling globally, perhaps less so per each nation.
According to the report, most mid-sized companies are experiencing more security incidents in the last year than in the previous 12 months and are very concerned about the possibility of data breaches and IT security attacks. One out of five experienced a serious security incident that caused them to lose, on average, $41,000 (based on what they calculate as lost business spent, on average, $43,000 in a year remediating IT security incidents.
But, while three-quarters of the companies froze or cut their IT security budgets—reduced staff, fewer new product purchases, switching to cheaper, stand-alone products– the telling correlation was between the amount of time the average organization devotes to security and the time it takes to recover from an incident. Overall, smaller companies that spend an hour or less per week on proactive preventive measures often spend days recovering; organizations that spend several hours frequently recover in less than a day.
Makes sense. If busy, understaffed IT folk in midmarket companies can find a few hours a week to focus on security, it pays off. According to the report, the majority of British and U.S. companies surveyed find or make the time. The French, not so much.
Still, the report estimates that mid-sized businesses in the U.S. alone spent $17.2 billion fixing IT security incidents in 2008.
So what are the McAfee report recommendations for beleaguered middling companies in the worst economy since the Great Depression? After delivering the valuable message that they can mitigate the damage if they devote a little more time and effort to security, the conclusion is that what we really need to do is to spend smarter:
- Integration. Consolidate security vendors who offer integrated suites (let’s assume they’re not recommending Symantec).
- Centralized management (Hey, we have EPO).
- Lower costs. Integrated solutions are more economical (really a corollary of 1 and 2).
Well, it’s all probably true, but the message is rather cynical. Tell me how to find those extra hours. Tell me what activities will give me the most value for the time I invest. Then, maybe, once I get that, tell me about investing some more time in replacing my security technologies and/or introducing new ones.