Go Back

The Cyber Security Talent Shortage: Part II – The Haves and Have Nots of Information Security

Division BGSF
October 8, 2021

What Do Major Companies Spend on Information Security?

This is a shortlist of information security spenders. The headline grabbers. The companies that get summoned to the White House. This is only the tip of the iceberg.

It does not include:

The Above List Represents the “Information Security Haves”

These are the companies that understand the business value that security brings to their customers, their partners, and their shareholders. The “Haves” are either technology companies or those that have long understood the value that technology investments have brought to their business.  

The “Haves” understand that information security is a core component of these technology investments and have considered information security in making these decisions. The “Haves” understand that security is non-negotiable, and that customer trust is everything. They understand that a breach of confidence is damaging to their brand equity and their business. They look at security as a competitive advantage, as a way to “win business” and to differentiate themselves from their competition.  

Then There Are the “Information Security Have Nots”

The “Have-Nots” are the legacy companies. 

They are the companies that have been behind the curve as it relates to technology investments in their infrastructure and how they conduct business. These are the companies who initially viewed technology investments as something that they could put off, as operating in a business-as-usual environment insured that existing profits would persist in the short term. These are companies that were slow to hire CIOs and CTOs, and when they did so, they either hired inexperienced people or the “ones that they could afford.” Just like they were laggards as it relates to technology, their approach to information and cyber security was not any different.    

As security became more mainstream and security incidents became more publicized, information security was something that the “Have Nots” were reluctantly forced to address. To the “Have Nots,” information security is simply another operational cost that erodes profits. In these companies, information security is still viewed as an expense item and “a necessary evil.” Information security is something that they need to spend money on to satisfy the regulators and ensure compliance. Information security is just another “checkbox.” In these companies, the prevailing attitude is that the less that they have to spend on information security, the better off they will be.  

The Haves vs. the Have Nots

The above represent two different approaches to security and business strategies. CEOs have choices on which paths they will go down and what type of companies theirs will ultimately become. CFOs have choices on how much money they want to allocate towards information security, and which metrics they utilize to determine these amounts.

But in this game, these are not the only people who have choices that matter.

Which companies will they choose to protect?

Which companies will they choose to attack?