To help people remain vigilant, Miller sends out phishing emails "the same way the bad guys do." If users click on the links in these messages, they're sent to a landing page and get immediate feedback about what they should have done differently. "I'm not doing this to get employees in trouble," Miller says. "I'm doing the same thing audit firms would do. People learn [best] from their mistakes."
Hire in or contract out?
Among respondents to the Forecast survey who said they expect to add staff in 2016, 25% named security initiatives as the factor driving that decision. And 33% said security was the skill they expect will be the most difficult to hire for in 2016.
In interviews, executives at small and midsize organizations say they will hire people with broad IT and security skills, rather than highly experienced experts in specific security areas, such as intrusion detection or firewalls.
Many companies are adding expertise not by hiring, but by contracting with the growing number of security services providers. As one CISO put it, one of the advantages of contracting is that it's a way of sidestepping the threat of having sought-after security employees poached by other organizations.
Frankie Duenas, CTO at Cabrillo Credit Union in San Diego, heads a small department of six IT professionals whose duties range from security and networking to programing and daily operations, and he also outsources for security assistance when necessary. "We have a budget in place to throw at security" -- either to respond to emerging threats or to respond to a need for more sophisticated security software and/or services, Duenas explains. "We're going to double that [contingency] budget next year because hacks evolve quickly, and we need to have that pot to pull from."
At Geiger, Denham says he hires third parties to handle both intrusion detection and intrusion prevention services. The company also works with outside auditors on compliance with the PCI Data Security Standard.
"I don't expect we'll hire more [security professionals into IT]," he says. Instead, Geiger will continue to turn to service providers as new needs arise.
"You're never finished with security. You can't do it all, and you can never do it fast enough," Denham says. "There's always more to do than IT can handle."
The bottom line is that security is a critical enterprise issue that never goes away. It never ends because hackers always find new ways to do damage.
For example, the industry has made great progress in fighting phishing attacks, according to PayPal's Nai, but as it has done so, the bad guys have refocused their efforts elsewhere -- on disseminating malware, for example.
Sign up for CIO Asia eNewsletters.