When a single breach can cause untold damage to your business, from millions in losses to reputational damage, operational disruption, and lost trust, you want to align your security budget with the actual threats you face. So why does the typical company allocate less than 3% of its security budget to application security—when a full 30% of successful breaches strike at the application layer? 

For hackers, it’s a dream scenario, like a burglar watching a homeowner install expensive new door locks while the windows remain wide open. But it’s a dangerous situation for your business, leaving you one unlucky break away from making the wrong kind of headlines. 

How has application security spending fallen so far out of line with the actual threats companies now face?
The highly technical nature of this area can make it challenging for non-specialists to provide meaningful guidance for the allocation of security budgets—at least, that’s the excuse that’s often given. But identifying and quantifying risk doesn’t have to require specialized expertise. The stats above make all too clear that there’s gross misalignment between current attack and breach trends, and the amounts being invested in protection at those layers. The conclusion is inescapable: in light of the prevalence of successful application-layer attacks, application security spending is inadequate by an order of magnitude.

The underfunded threat
Often, security budgets tend to follow established industry practices, focusing on incremental improvements on the types of defenses already in place rather than making major shifts in approach. That would be fine if the nature of the threats companies faced remained fairly constant—but it leaves the organization at risk of falling behind when fundamental shifts in computing architecture reshape the threat landscape.

Ten years ago, the typical web app amounted to little more than a marketing channel. The site contained product information, where-to-buy or online ordering functionality, and so on, but the actual logic and data resided within the company’s own network. In that light, it made sense for network security to play the central role in threat protection. Now, however, the product itself is online, including all of its code and customer data—making web, cloud, and mobile apps the company’s largest digital assets. That also makes those assets the largest target to attackers. 

DevOps is part of the story as well, as is so often the case these days. While DevOps isn’t directly responsible for driving the need for more application security spending—that’s more a factor of the changes described above—it does create an ideal opportunity to address the changing threat landscape. As companies seek to leverage the speed and agility made possible by the DevOps model, they’re re-architecting their systems from the ground up around cloud services and other next-generation resources. Threat protection is a natural part of that conversation—as we realign the broader IT budget with the changing needs of our business, how should we also realign our security budget according to the changing nature of the risks we face?

When your biggest digital asset draws only a small fraction of your security budget, the answer is clear.

Rebalancing the security budget
Even a business-critical area like security can’t be allowed unlimited resources; increased spending on application security will need to be accompanied by reductions elsewhere. Again, changes in computing architecture provide a useful way to think about this.

In discussions with CISOs, network security accounts for approximately 70% of the typical security budget. This made sense in past years, when the typical IT organization ran a large number of internal services on physical hardware that needed continual OS maintenance and firewall management. Today, the majority of such services have been outsourced to—and protected by — SaaS, IaaS, or PaaS providers. With far fewer internal services to protect, and a network perimeter that is being relocated into the cloud, IT can focus on what still needs to be secured for customers: the application logic and customer data in web applications. While it might not make sense to flip the allocation entirely–traditional network security threats aren’t going away– the fact that your cloud and DevOps teams are building new software from the ground up for the first time in more than a decade offers a unique opportunity to rethink and reallocate your budget to more accurately reflect your risk. 

 Security will always be something of a moving target as threats evolve in tandem with computing architecture. The landscape will likely change as much ten years from now as it has over the past ten years. But right now, attackers are exploiting a grievously under secured application layer to launch an alarming number of successful breaches. Addressing that imbalance should be at the top of every C-level agenda.

About Andrew Peterson

Andrew Peterson is CEO and co-founder of Signal Sciences, a Web protection platform for the modern web. Previously, Andrew built multidisciplinary teams across five continents for such companies as Etsy, Google and the Clinton Foundation. He is also the author of Cracking Security Misconceptions (O’Reilly). Follow him @AMPeters06 @signalsciences