It's the $64,000 question in security – both figuratively and literally: where do you spend your money? Some people vote, at least initially, for risk assessment. Some for technology acquisition. Others for ongoing operations. Smart security leaders will cover all the above and more. It's interesting though – according to a recent study titled the 2017 Thales Data Threat Report, security spending is still a bit skewed. For instance, security compliance is the top driver of security spending. One would think that business risk and common sense would be core drivers but we all know how the world works.

The Thales study also found that network and endpoint security were their top spending priorities yet 30 percent of respondents say their organizations are 'very vulnerable' or 'extremely vulnerable' to security attacks. So, people are spending money on security solutions that may not be addressing their true challenges. Perhaps more email phishing testing needs to be performed. I'm finding that to be one of the most fruitful exercises anyone can do to improve their security program – as long as it's being done the right way. Maybe more or better security assessments are required. Only you – and the team of people in charge of security – will know what's best. 

The mismatch of security priorities and spending is something I see all the time in my work. Security policies are documented, advanced technologies are implemented, and executives are assuming that all is well with security given all the effort and money being spent. Yet, ironically, in so many cases not a single vulnerability scan has been run, much less a formal information risk assessment has been performed. Perhaps testing has been done but maybe it wasn't the right type of testing. Or, the right technologies have been installed but their implementation is sloppy or under-managed.

This mismatch is an issue that's especially evident in healthcare (i.e. HIPAA compliance checkbox) but affects businesses large and small across all industries. It's the classic case of putting the cart before the horse. I strongly believe in the concept of “you cannot secure what you don't acknowledge”. But you first have to properly acknowledge the issues – not just buy into them because they're “best practice”. Simply going through the motions and spending money on security will make you look busy and perhaps demonstrate to those outside of IT and security that something is being done to address your information risks. But that's not necessarily the right thing to do.

The bottom line, don't spend that hard-fought $64,000 on security just for the sake of security. Step back. Know what you've got, understand how it's truly at risk, and then, and only then, should you do something about it. Look at the bigger picture of security – what it means for your organization and how it can best be addressed based on your specific needs rather than what someone else is eager to sell you.