Data security challenges are inevitable, but solving them is only sometimes straightforward. Companies are constantly balancing investments and risks, and information security is an area where this balance is essential. The information security industry has often pointed fingers at companies that have not invested enough in protection. Still, a closer look reveals that complex issues take more work to simplify behind this. The burden of data security is transferred to the company’s board.

Operating models too expensive

Data breaches are when companies’ information security deficiencies come into the spotlight. Those with hindsight wonder why more attention should have been paid to information security matters in advance. This criticism is understandable, but it is not always so one-sided. Information security is more than just technical solutions. Niels Provos, Ph.D. in computer science, highlights this point in his blog. “Technological solutions are part of the answer, but the biggest challenges are often human and related to the costs of implementing technologies. Strengthening information security requires considerable resources for hiring experts and adapting solutions to individual needs”.

Management’s incentive trap

From my point of view, I have noticed the same phenomenon. The security technology market is full of options, but investments only sometimes follow. Niels’ findings confirm that corporate management’s incentives are rarely directed at strengthening information security. Data security should be included as companies strive to balance growth and information security.

However, investing in information security should be more than just an expense item. Niels points out that information security is prioritized in specific companies, especially internet-based software development companies, and they are ready to invest in it. But a trade-off between business growth and information security is considered in most companies. The low investment level is partly due to managers’ incentives, which direct them to invest more in business growth than security. In this way, companies drift into a situation where data security is only reacted to when a break-in occurs.

Insider risk is one of the most central challenges related to information security, which technical solutions cannot always meet. The few companies staffed by experts with a mature security posture effectively address this risk. Human factors also take center stage here, and insider risk solutions are more complicated than straightforward technological measures. However, a solid technical security base creates the basis for addressing this challenge.

The burden of data security is transferred to the company’s board.

Increasing pressure is placed on corporate boards in the field of information security. For example, the American Securities and Exchange Commission (SEC) has pushed for cyber regulation that increases the responsibilities of corporate boards regarding information security. This law reflects the fact that the responsibility for information security is moving more and more to a higher level. As administrative requirements increase, ensuring that they lead to more than mere paperwork but to real improvement in information security is essential.

The level of investments is a vital issue. According to research company Gartner, companies’ IT investments have ranged from 1.4% to 8.6% of turnover, and information security has received an average of around 10% of the IT budget. However, there are other metrics. Increasing the budget does not guarantee better information security, especially if the basics are already in place. A better strategy may be to direct resources to high-quality Cloud, NaaS, and SaaS services, where information security is built-in, and the associated information security investments are more extensive. Such an approach supports Niels’ idea that better security can be achieved through robust foundational technologies, and these technologies are often embedded in broader services. Perspectives on Security for the Board, aimed at the boards of large companies, sums it up.

Re-examine management incentives regarding information security

It’s time for companies to re-examine management incentives regarding information security. Although business growth is essential, security should be considered. Data security is a multidimensional issue that requires both technological and human solutions. Board members must take on even greater responsibility, and investments should be strategically directed to high-quality services that are already safe in their fundamental essence. Only then can we see significant improvements in the world of information security. Or can we state that we, as players in the industry, have failed in our task at least partially if the company’s board now has to take the reins?


Hannu Rokka, Senior Advisor

5Feet Networks Oy