Credit: Vodafone Medien
Sure, enterprises are investing more in their cybersecurity efforts: but is that a good thing? It could be, depending on how it is being spent.
According to our 2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies the priority for security spending in the next year include new technologies (47 percent), audits and assessments (40 percent), new skills and capabilities (33 percent), redesign cybersecurity strategy (24 percent), and a redesign of processes (15 percent).
Why is so much spending being targeted at technology and so little on people? There are likely a confluence of reasons, including some enterprises having to play catch-up to get their program up to par, some simply can't find the talented people they need, and others are likely spending on the wrong things, while still others are transitioning to cloud and making the appropriate security investments.
When respondents were surveyed regarding their on-staff cybersecurity expertise -- those very people capable of deploying and managing new security technologies -- only 26 percent said that they have such skills in-house. Not encouraging.
"We could speculate and say that investment in people is slowing because the people don't exist," says Mike Rothman, analyst at security research firm Securosis. "This is the second-order derivative of the skills gap. We may have hit the skills gap ceiling, which means we can't invest more in people because we can't find them," says Rothman.
That means, without adequate availability to the skills enterprises need, enterprise teams are in need to streamline and automate as much of their security program as possible. Jay Leek, chief information security officer at The Blackstone Group, certainly is. "I'm investing in technologies that require as few people to run it, and are as flexible, as possible. We need to leverage our open APIs and write our own custom tools to automate and orchestrate the technologies to make them more efficient," Leek says.
That's likely a great exercise always, but an absolutely necessary one when CISOs can't find the talent they want to hire. "I'd have to look at 100 qualified resumes, distill that down into probably 30-plus interviews, to hope that I'm going to find one person that I want to extend an offer to and hope that they're going to take my offer - because they're being chased after by dozens of other companies," Leek explains.
The lack of talent is taking its toll, as John Johnson, global security strategist at John Deere says. "Most companies don't have the maturity level necessary to really make full use of their new products, so they need to focus on people and processes and not pizza boxes. That said, technology that helps to automate and which might give lower level actionable intelligence, or insights where traditional technologies don't, could help solve a problem without adding a lot of staff and infrastructure to support," Johnson says.
Sign up for CIO Asia eNewsletters.