The age-old problem of misaligned security budgets and staffing continues, but they may not be the answer to solving the most pressing security issues.
I didn’t go to Black Hat USA this year, but I’ve heard some chatter about the show. One person told me that he didn’t think there was one overriding theme as in years past; rather, there were murmurs that companies have the technologies and the focus has shifted to putting solutions into action. That falls in line with other commentary I’ve heard: that businesses know threats are increasing and they know they need to address those threats, yet security budgets and staffing remain stagnant.
I reached out to some cybersecurity pros and asked them, Why aren’t security budgets and staffing not keeping up with the increase in both numbers and sophistication of threats? Why are companies struggling to turn the technology into solutions?
The consensus is that this issue comes down to getting the right people on the job to address security concerns.
“The staffing gap is a real issue,” said Ali Golshan, CTO and co-founder at StackRox, “and it’s growing as companies invest more in application development to fuel their business but don’t invest in staffing up security to maintain the same ratio.”
Budget—or lack thereof—plays a role in investing in staffing, said Shlomi Gian, CEO at CybeReady. “When budgeting the security department, employee cost usually represents the lion’s share.” Therefore, to meet the growing threat, Gian said the current staff there needs to be more efficient to be more effective.
Is Technology Creating the Problem?
Golshan pointed out that perhaps some of our worries about security threats may be artificially inflated and security vendors need to take some responsibility for that.
“As the security industry gets more crowded,” he said, “vendors focus on a subset of problems to solve and create features to address those issues. They then need to amplify the problem they address, sometimes perhaps making it look more serious than it is to create demand.”
Not Just Dollars and Bodies
Yes, the industry knows there is a staffing shortage that has building for a while and isn’t going to disappear magically no matter how much security budget is tossed at it, said Steve Durbin, managing director of the Information Security Forum. The industry also knows that threats continue to evolve and emerge as our dependence on technology increases and the capabilities of threat actors increase, placing a burden on users of the technology and information, as well as on security and IT departments.
However, he added, this is not an issue solely of dollars and bodies. It is more fundamental than that.
“Every business leader will tell you that they could do more with an increased budget, so what makes security so special? Well, for one, demonstrating a return on security investment is a tricky business,” he said. “There are no certainties in security other than an attack will come—we just don’t know when and we don’t know where. For another, security is still far too often, far too remote from understanding the corporate budget game.”
What can we do better? A few suggestions from Durbin, Golshan and Gian:
- Monitor the evolving threat landscape—use forward-looking insights available such as the Threat Horizon from the Information Security Forum to form a basis of your upcoming threat monitoring.
- Use threat hunting programs to build your internal defenses.
- Bump up security awareness training for employees to keep up with emerging threats.
- Understand your compliance exposure—regulations and legislation are changing and you will need to work closely with your legal team and potentially audit to ensure appropriate levels of compliance.
- Add technologies that fit your business model and recognize there is no one-size-fits-all technology. Recognize your priorities and make sure the technology you onboard meets those priorities.
Addressing these points will encourage working collaboratively across the enterprise and sharing budgets to meet security threats.
“We often talk about needing to align security with the business,” said Durbin. “If you do nothing else, do just that: Ensure your security programs are linked to business initiatives that are positive for the enterprise and support the business objectives, risk appetite and strategic goals.”