What Do Major Companies Spend on Information Security?
- Wells Fargo – $300 Million per year
- JPMC – $600 Million per year
- Bank of America – $ 1 Billion Per Year
- Google – $10 Billion over the next 5 years
- Microsoft – $20 Billion over the next 5 years
- IBM — paying to train 150,000 new cyber security professionals
This is a shortlist of information security spenders. The headline grabbers. The companies that get summoned to the White House. This is only the tip of the iceberg.
It does not include:
- Amazon (AWS), Salesforce, Oracle, or any of the other large Cloud Services providers.
- Algorithmic hedge funds
- Cryptocurrency exchanges. It does not include the payment providers.
- Streaming services
- Large retailers that have already felt the impact of data breaches.
- The established security products and services companies
- The hundreds of pre-IPO SAAS platforms, who view security as a competitive advantage as they attempt to disrupt legacy businesses
The Above List Represents the “Information Security Haves”
These are the companies that understand the business value that security brings to their customers, their partners, and their shareholders. The “Haves” are either technology companies or those that have long understood the value that technology investments have brought to their business.
The “Haves” understand that information security is a core component of these technology investments and have considered information security in making these decisions. The “Haves” understand that security is non-negotiable, and that customer trust is everything. They understand that a breach of confidence is damaging to their brand equity and their business. They look at security as a competitive advantage, as a way to “win business” and to differentiate themselves from their competition.
Then There Are the “Information Security Have Nots”
The “Have-Nots” are the legacy companies.
They are the companies that have been behind the curve as it relates to technology investments in their infrastructure and how they conduct business. These are the companies who initially viewed technology investments as something that they could put off, as operating in a business-as-usual environment insured that existing profits would persist in the short term. These are companies that were slow to hire CIOs and CTOs, and when they did so, they either hired inexperienced people or the “ones that they could afford.” Just like they were laggards as it relates to technology, their approach to information and cyber security was not any different.
As security became more mainstream and security incidents became more publicized, information security was something that the “Have Nots” were reluctantly forced to address. To the “Have Nots,” information security is simply another operational cost that erodes profits. In these companies, information security is still viewed as an expense item and “a necessary evil.” Information security is something that they need to spend money on to satisfy the regulators and ensure compliance. Information security is just another “checkbox.” In these companies, the prevailing attitude is that the less that they have to spend on information security, the better off they will be.
The Haves vs. the Have Nots
The above represent two different approaches to security and business strategies. CEOs have choices on which paths they will go down and what type of companies theirs will ultimately become. CFOs have choices on how much money they want to allocate towards information security, and which metrics they utilize to determine these amounts.
But in this game, these are not the only people who have choices that matter.
- Employees have choices.
- Skilled labor has more choices.
- Technologists have even more choices.
- Cyber Security professionals have even more choices.
Which companies will they choose to protect?
- Hackers have choices.
- Hacktivists have more choices.
- Organized crime has even more choices.
- Foreign nation-states have even more choices.
Which companies will they choose to attack?