A Gartner security analyst is urging enterprises to ignore the hype around cyber security spending and look at areas of their business that need protection.

Speaking at the Gartner Security & Risk Management Summit in Sydney, Gartner US distinguished analyst John Girard told delegates that they should know what they were getting into before investing in cyber security.

"There is a lot of money being made in this area which needs to be questioned because you are the ones handing it out," he said.

Girard likened cyber security economics to the Ponzi scheme named after scam artist Charles Ponzi who was jailed in the 1920s.

"It all starts with a legitimate investment and then it gets twisted. You are promised ridiculous rates of return and encouraged to stay in the scheme," he said.

According to Girard, a lot of security vendors and practices in cyber security tend to work the same way.

"Once you get involved there is a cloud over you because if you want out, you're going to get in trouble."

"It is a problem but the question is for you in a particular industry, how many nation states are out to get you?"

Instead, he said that enterprises should engage in diffused spending rather than investing lots of money in zero-day vulnerabilities and country watching.

"Ninety per cent of your money should be spent on the things you need to do such as making your network hard to penetrate and recording access attempts.

"If you are an enterprise, ignore the hype on cyber security. Collaborate with government efforts within reasonable limits and know your rights."

He advised enterprises to concentrate on updating firewalls and equipment while securing infrastructure.

Follow Hamish Barwick