'Security is the only team that when given more budget finds more problems'

Raj Samani, chief scientist at security firm McAfee explains why some firms are deterred from investing in security

Security is the only team in the business that generates more problems the more investment it is given.

That's the view of Raj Samani, chief scientist at security firm McAfee, speaking to Computing recently.

Samani explained that this is one reason why some firms are reluctant to invest in security, despite recent widespread ransomware outbreaks like WannCry and NotPetya.

Computing asked if the frequency of security stories hitting mainstream headlines was helping to put the function at the top of agenda in boardrooms.

"We're hearing the right noises for sure," said Samani. "I was speaking to the CISO of big bank recently, and he said he's briefed the board more often than any other person in the business. But the discussion is predominantly from protection perspective. They just want to know how to make sure they're protected against global outbreaks and major issues."

He also questioned if the idea that security should now be seen as a business enabler is being put across properly to boards.

"We hear the concept of security as an enabler, but is it really? Where? Show me some examples. Security is the only team that when it asks for more budget it finds more problems. When I used to be a CISO, we put investment into security awareness, and all that happened was more people spotted issues so more alerts came in. Fundamentally that goes against the nature of investment, which is that you invest, and the company benefits finanically.

"But in security, you put more investment in and then you come back and ask for even more."

Samani argued that these problems would go away if boards stopped viewing security as a separate business area, but instead as the foundation of every part of the organisation.

"My question is: Where can you demonstrate that investment in security can help drive additional revenue?"

Answering that question, Samani said, is the key to proving the value of security investment in the boardroom.