Image Credit: AC72 Sail 4 / Foiling / ORACLE TEAM USA / San Francisco (USA)Guilain Grenier Oracle Team USA ©
You may know Larry Ellison as the founder of Oracle and one-time CEO. He’s also passionate about sailing. In 2013, estimates put his spending on winning the America’s Cup at around $500 million – way more than most organizations’ annual security budget. Why would anyone spend that kind of money for what is ultimately bragging rights?
There is a legend that any skipper who loses the America’s Cup must offer his head as a substitute for the trophy, but that probably wasn’t the main driver for the amount of money spent. Larry’s net worth is north of $50 billion, and he’s over 70, so he can afford to blow half a billion on something he loves, and to satisfy his competitive nature.
Is IT security spending any different?
Obviously, no IT organization has a seemingly unlimited budget the way that Team Oracle did in the 2013 America’s Cup race. But look closer at why spending on America’s Cup racing seems so out of control and it starts to look a bit more familiar.
In the early years of America’s cup racing, universal rules meant that boats were built roughly the same, relying on the skill of the crew to make the difference in competition. But over the years, technology became more critical to winning. In one sense, it has become a technological arms race, though the skills of the crews that compete still matter.
IT security spending is often caught up in the technology arms race as well. Attackers are investing more in new methods and nation-states are also in on the act of attacking corporations, if we are to believe that North Korea is at the heart of the Sony attack and China is at the heart of the Anthem attack as has been said. The scale of resources arrayed against IT security is unprecedented.
Getting caught up in the technology arms race
The breaches at Target and Sony resulted in CEOs losing their jobs. Kind of like an America’s Cup skipper losing his head.
The mounting assaults on companies, and on IT, has prompted an 8.2% increase in security spending from 2014 to 2015, according to Gartner. This is dramatic, considering that IT security doesn’t directly add to the bottom line.
With that much focus from the board room, and more mindshare and resources aimed at security, security startups saw a 26% increase in VC funding last year according to CB Insights. It’s a bit of a frenzy. But organizations would be wise to consider security investments that focus on the most pressing threats first.
Where are the most pressing security investments needed?
In the movies, fingers fly furiously over keyboards as firewalls fall. In real life, today’s attackers are abusing insider credentials, especially those of privileged users.
In the Anthem breach, the personal information of almost 80 million Americans was accessed by an attacker who stole a database administrator’s credentials. In the CyberEdge 2015 CyberThreat Defense Report, 77% of security professionals admitted they are not confident they are monitoring their privileged users adequately.
Privileged identity management tools and processes aren’t new, but have been overlooked in the past. If new security investments are on the plan, this is one that should be included.
Team Oracle came back from an 8-1 deficit, winning eight races in a row to retain the America’s Cup – one of the great comebacks in sports history. It’s tempting to point to unlimited technology spending as the explanation, but by the time of the race, that was done. IT security teams can take heart in their example of the will to win, and focused effort that resulted in victory.