Enterprise security spending less on skills, more on technology

Sure, enterprises are investing more in their cybersecurity efforts: but is that a good thing? It could be, depending on how it is being spent.

According to our2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies the priority for security spending in the next year include new technologies (47%), audits and assessments (40%), new skills and capabilities (33%), redesign cybersecurity strategy (24%), and a redesign of processes (15%).

Why is so much spending being targeted at technology and so little on people? There are likely a confluence of reasons, including some enterprises having to play catch-up to get their program up to par, some simply can't find the talented people they need, and others are likely spending on the wrong things, while still others are transitioning to cloud and making the appropriate security investments.

When respondents were surveyed regarding their on-staff cybersecurity expertise -- those very people capable of deploying and managing new security technologies -- only 26% said that they have such skills in-house. Not encouraging.

"We could speculate and say that investment in people is slowing because the people don't exist," says Mike Rothman, analyst at security research firm Securosis. "This is the second-order derivative of the skills gap. We may have hit the skills gap ceiling, which means we can't invest more in people because we can't find them," says Rothman.

That means, without adequate availability to the skills enterprises need, enterprise teams are in need to streamline and automate as much of their security program as possible. Jay Leek, chief information security officer at The Blackstone Group,  certainly is. "I'm investing in technologies that require as few people to run it, and are as flexible, as possible. We need to leverage our open APIs and write our own custom tools to automate and orchestrate the technologies to make them more efficient," Leek says.

That's likely a great exercise always, but an absolutely necessary one when CISOs can't find the talent they want to hire. "I'd have to look at 100 qualified resumes, distill that down into probably 30-plus interviews, to hope that I'm going to find one person that I want to extend an offer to and hope that they're going to take my offer - because they're being chased after by dozens of other companies," Leek explains.

The lack of talent is taking its toll, as John Johnson, global security strategist at John Deere says. "Most companies don't have the maturity level necessary to really make full use of their new products, so they need to focus on people and processes and not pizza boxes. That said, technology that helps to automate and which might give lower level actionable intelligence, or insights where traditional technologies don't, could help solve a problem without adding a lot of staff and infrastructure to support," Johnson says.

Also, Johnson says it's possible that the increase in technology spending may be part of the transition in the move to cloud in favor of on-premises IT. "Organizations who increasingly move to the cloud and BYOD will not want to invest in on-premises infrastructure they have to support, they will start looking for cloud security services and security vendors in that space should see significant growth," he says.

Perhaps it's a little bit of all of the above, says Mark Carrizosa, VP, of security at Soha Systems and recent senior security solutions architect at Walmart Global eCommerce. "It's going to be different at every company," says Carrizosa.  "Common factors here with organizations is that they are continuously looking to keep up with the security landscape, new tools, new products, new services that are coming out to help combat their threats," says Carrizosa.

While that may help to mitigate those risks, it still places pressure on having the right people to manage all of those tools, but, many experience CISOs and security professionals say it's not really the size of the team that matters. "Yes, the organization needs to be able to maintain the experience and ability to manage everything. But you're starting to see security teams grow and grow and grow, and all of a sudden they end up with this huge security team of hundreds of people and each has their own silos of experience and that doesn't make for a cohesive group," he says.

"Some of the most effective groups that I've seen have been very small, because they've learned to "work smarter, not harder," and they utilize the tools properly and actually improve the incident response and effectiveness of their security posture," says Carrizosa.

Join the CSO newsletter!

Error: Please check your email address.

Tags The Blackstone Groupsecuritycyber crimeMetrics & Budgets

More about DeereJohn Deere

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place