Skip to content

The Disconnect Between Spending and Implementation

Jan 7, 2019

Risk management helps identify, analyze, and remediate risks to enable organizations to achieve their objectives. Anticipating the risks of the emerging digital technology is the first step in IT risk management. Companies are increasingly investing more into IT security tools. However, there is a disconnect between spending and implementation. According to the 2018 Thales Data Threat Report, while there was a 78% increase in IT security spending, data breaches did not slow down. There may be a few reasons for this disconnect:

Overreliance on compliance

Problem: Satisfying compliance requirements does not equate to a properly safeguarded organization. It is tempting to spend a lot of money on compliance because of the regulations and potential consequences. However, companies should note that compliance regulations grow slowly compared to the advancement in technology.

Solution: Shoot above compliance only; concentrating on reporting efforts takes away from actual security efforts. Look beyond the regulations by dissecting the risk and gaining insight on how and why the attacks are successful. Industry benchmarks can help create an integrated approach between security and compliance so you can achieve your cyber risk management goals along with compliance.

Implementation requires time and resources

Problem: Many times, a company will implement a tool but not have the adequate resources dedicated to proper training.  Spending money on the best products and services the company ultimately cannot integrate is wasteful as the company will be unable to utilize these solutions to their fullest potential. Solutions to IT risks are complex and have a learning curve. Implementation also requires a lot of time, expertise and resources, which IT security departments often lack.

Solution:  Understand your organization’s capabilities to find a solution that can complement its infrastructure and then gather the resources required to implement that solution. Do not put human resources on the back burner as digital expertise can encourage a culture of security. It is imperative to raise awareness then train employees to help foster a cybersecurity-conscious organization. According to the 2017 IBM X-Force Threat Intelligence Index, 60% of cyber attacks result from intentional or unintentional employee activity. First, provide relatable examples so employees can understand why cybersecurity is crucial in protecting the organization and themselves. This way, it motivates employees to go the extra mile in implementing the solutions. An organization should also make sure all employees are onboard; remember, a chain is only as strong as its weakest link. Second, prepare a comprehensive training program that involves participation to keep employees engaged. It will be beneficial to tailor training courses so employees don’t experience information overload. In addition, this will help employees hone in and see how their roles directly tie in to the whole organizational effort.

A new approach is needed

Problem: Many companies increase spending on defenses that are no longer as effective because it is hard for organizations to let go of security tools they took years to master. However, the fact of the matter is that technology is evolving quickly and a company’s defenses need to be time relevant.

Solution: Know when to cut your losses because organizational agility is key for cyber risk management. On-premise security is no longer considered secure; once a hacker is able to breach one device, they have an entryway to the whole network. The future of cybersecurity is in the cloud due to the data separation technology. In addition, the cloud is more scalable and less costly to maintain than an on-premise network. An organization should emphasize detection and response to train their people to anticipate and readily respond to disruptions. As an example, CloudAccess, Inc.,* is a cloud-based security platform that can provide a 24/7 real-time holistic monitoring solution. Their services include integrated SIEM (security information and event management), log management, vulnerability scanning, PEN testing, access monitoring and much more all in one platform. So what does this mean for your organization? CloudAccess’ predictive behavior algorithm can help detect and prevent potential threats while providing real-time alerts on impending risks. In addition, compliance will be easier to achieve as CloudAccess provides multiple reports that can be utilized for risk analysis and audits. Remember, cyber-attacks are not a matter of if, but when.


The disparity between increased IT security spending and data breaches can be attributed to a few common mistakes. First, companies are relying too much on compliance and should, instead, shift more efforts into analyzing why attacks are successful and deploy solutions that can address those risks. Second, implementing solutions requires time and effort that many organizations often lack. To counteract this, encourage a culture that promotes cybersecurity through raising awareness and training. Last but not least, organizations need to stay up-to-date with technology. Utilize a cloud-based security platform that can provide a real-time monitoring solution. Now is the time to embrace cybersecurity, to protect your organization and yourself.

*This content is for discussion purposes only. It does not constitute an endorsement of any product or service.

PRTS Intelligence Newsletter - Q1 2019

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.