Threat Intelligence

8/14/2017
03:30 PM
50%
50%

Cybersecurity's Ceiling

Security spending and staffing are rising, but restrained resources are tempering market growth.

The IT security market is often painted as a non-stop growth curve with no end in sight. But many analysts who have studied market trends say despite recent increases in spending and hiring, the market paradoxically is being slowed by a shortage of resources.

In some cases, upper management is putting a cap on spending and hiring. In the recently published 2017 Black Hat Attendee Survey, most security professionals say they are increasing hiring and spending. Yet, some 71% of security professionals do not feel they have enough people to handle the threats they will face in the coming year. Fifty-eight percent say they don’t have enough budget.

"Security spending is based on failure, rather than need. The more secure that you feel, the less you spend," says John Pescatore, director of emerging security trends for SANS Institute.

Cybersecurity indeed is growing, but just not as fast as you'd think.

IT security spending growth also is hampered by a lack of available talent to pull off the needed projects, says Jeff Pollard, principal analyst with Forrester Research.

"There are capacity restrictions," says Pollard. "It is not the available funds in the budget, but the fact that you can only do three, four, or five big projects a year because of the number of people, service providers, and employee skill sets you have."

One report by CyberSecurity Ventures pegs IT security spending to soar beyond $1 trillion in revenue over the course of a five-year period ending in 2021, with 12% to 15% annual growth.

But a larger pool of industry analysts and players are expecting a slightly less robust future - with annual revenue growth of less than 10%. Cisco Systems and IBM, for example, reported security revenue growth of 9% in the third quarter and 9% in the first quarter, respectively.

Gartner is projecting a more muted level of worldwide IT security spending. The research firm is predicting annual revenue growth to increase along the lines of 7.6% in 2017 to 8% by 2020, says Lawrence Pingree, a Gartner analyst and vice president.

Pingree says IT security spending is expected to reach $90.1 billion this year and increase to $113.1 billion by 2020. 

And when viewing security spending as a percentage of the overall IT budget, nearly half of 400 IT professionals surveyed in a Dark Reading report, "How Enterprises Spend Their Security Dollars," say they expect to allocate 9% or less on security, with a sizable portion of this spend coming in at 5% or less. This level of security spending will largely remain in place for the next 12 months, given 40% of survey respondents noted they did not expect an increase in their overall IT budget, which in turn trickles down to the security budgets.

One possible contributor to tight security budgets and tempered growth in the industry is a desire by companies to achieve greater efficiencies with their existing technology. "Rather than spending more on security, boards are asking 'what are you doing to spend less and do it in a better way than what we are doing?'" Pescatore says. "Security in depth is spending in depth."

IT Job Growth

The shortage of workers may also be putting a cap on security market growth. When 2022 rolls around, IT security trade organization ISC2 is predicting a 1.8 million shortfall of cybersecurity professionals to fill empty or expansion positions around the world. That, in turn, might explain the bullish job growth forecasts from the Bureau of Labor Statistics that says information security analysts should see an 18% rise in job growth between 2014 to 2024.

However, recruiting firm Robert Half Technology expects a more muted growth rate of 5% for IT security positions. Robert Half and other IT security recruiters note that with a limited pool of infosec professionals to hire, that alone is keeping a lid on massive hiring growth.

A recent Dark Reading report on Surviving the IT Security Skills Shortage found that only 14% of the 400 IT and IT security professionals surveyed believe there are a sufficient number of skilled IT security professionals available on the market.

Meanwhile, the UK's separation from the European Union under Brexit also contributed to a slowdown in IT security hiring, as a number of new programs were put on hold that would otherwise drive jobs growth, says Owanate Bestman, an information security contract consultant for recruiting firm Barclay Simpson. The GDPR, however, is an IT security jobs driver, he says, with an estimated 30% of posted positions in the first quarter having some relationship to the new regulations.

There may not be enough infosec professionals to go around to fill those GDPR slots as well as other vacant security positions, so companies will need to seek out other ways to fill the void. Ray Rothrock, CEO of RedSeal, predicts that this will not necessarily equate to IT security growth.

"How do we prepare for this chronic skilled labor shortage?" Rothrock asks. "We need to learn to work smarter, to do more with less, to prioritize assets and vulnerabilities, to automate and integrate as much as possible."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bradprat
50%
50%
bradprat,
User Rank: Apprentice
8/22/2017 | 9:55:33 AM
Re: Dulhan story
Quite an interesting article, thank you.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/17/2017 | 9:39:25 AM
Interesting discussion
Agree - actually BOTH inputs, human and AI are important.   I would trust, going forward, AI for the grunt work of malware analysis and then let a human evaluate threat disposition.  Remember the old movie WARGAMES where the argument was made to let WOPR run the national nuclear defense network - take the human out of the equation, and look how that turned out.  AI cannot replace human involvement - it can supplement it to a good degree and probable that is the larger degree.  FASTER too.  
juliettesultan
50%
50%
juliettesultan,
User Rank: Apprentice
8/16/2017 | 11:27:18 PM
Re: This is a little off-subject, but .....
As the daughter of two dentists, i would agree to that.  But my father always told me that some help in running scenarios for diagnostic could help, though in the end he would make the call.  I believe AI can help IT security professional sort through the noise and provide alerts in the rigth direction, human intervention is still needed to review and make the ultimate decision.

This is how AI will help us and we need to see it for what it is, a helping technology, and stop fighting it by fear that it will replace humans one day.  I do not believe it will.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2017 | 10:53:56 AM
This is a little off-subject, but .....
A few years ago I was discussing the involvement of computers with medical practice - with a dentist to be precise - and as much as computers (by ext, AI) could and did benefit his business, he also said this.  That when a surgeon is cutting and feeling his way around a patient on the table, computers cannot FEEL what his or her fingers FEEL and process that data to the brain.  Something to be said for that.
juliettesultan
50%
50%
juliettesultan,
User Rank: Apprentice
8/16/2017 | 9:32:26 AM
Re: False Positives
True, but it is life in cybersecurity.  Any threat prevention software out there have false positive, AI ( and i do not mean Watson) and machine learning technologies have more capabilities to actually learn from false positive and factored them in their algorithm.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2017 | 8:18:14 AM
False Positives
AI must also be capable of detecting an infinite variety of false-positive hits, software that seems malicious, could be but is not after careful review.  WATSON is not the solution to everything in the western world.  
juliettesultan
50%
50%
juliettesultan,
User Rank: Apprentice
8/15/2017 | 6:38:53 PM
This is where artificial intelligence will help
AI will help IT professionals work smarter, faster with the help of machine learning technologies.  If we cannot train a reasonable pool of new IT security professionals to meet the industry needs, AI will start supplementing for that and cybersecurity vendors are embracing the technology at a fast and furious pace.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.