An expert in economics and cybersecurity applies opportunity cost and other concepts of the “dismal science” to infosec roles.
Security and IT leaders are familiar with the challenge of making trade-off decisions about how and where to invest resources to best manage risks to the organization. Viewing their problems through the lens of economics may help them reprioritize these tricky investment decisions.
Tom Scholtz, research vice president at Gartner, took a deep dive into this idea during a talk at Gartner’s Security & Risk Management Summit, taking place online this week. Scholtz argued how concepts such as opportunity cost, core to the study of economics, can prove just as useful in cybersecurity, where it’s often tough to determine whether resources are spent properly.
Security spending has remained constant over the past five years, Scholtz said, pointing to data from Gartner. Still, the range of investment varies broadly. At the low end, businesses spend as little as 1.7% of their IT budget on security; at the high end, that number reaches 12% or more.
“Almost 80% of security investment is still being done on the conventional hardware, software, and human resource aspects of the security capabilities, and only just over 20% of security investments goes toward security services,” he explained, noting that Gartner expects spending on security services will grow as more organizations make the transition to cloud environments.
According to Gartner, 82% of businesses will only change their investment portfolio when they update their budgets, whether that’s on