Bad News is Good News For Security Budgets But Not Skills

Phineas T. Barnum, the famous showman and circus owner once said, “There’s no such thing as bad publicity.” Today, senior executives in the midst of a cyber breach would likely run Mr. Barnum out the door in response to such a contextually cheeky quote.

However, Barnum might have actually been on to something.  Recent research (registration required) conducted by the Darwin Deason Institute for Cybersecurity at Southern Methodist University, sponsored by IBM, shows that media coverage of data breaches is actually a top factor driving increased budgets and board level support for cybersecurity. Based on in-depth interviews with dozens of chief information security officers across retail, healthcare, government, and financial industries, the study revealed several signs that highly publicized data breaches are actually helping to improve enterprise information security.

The reason? Measured by amplified budgets and increasingly strategic security programs, cybersecurity is finally receiving due attention from the C-suite. However, this evolution comes with a new challenge: finding the staff and skills to implement these changes.

Let’s start with the good news
According to the research, CISOs are reporting positive strides in terms of C-Suite support and board-level awareness for cybersecurity. In fact, 85% reported that upper-level management support has been increasing, and 88% said that their security budgets have increased.  In the words of one CISO in the survey, “Honestly, I have not seen a case where I asked for money and it's been turned down.”

While growing budgets and senior-level support are a big win, those factors alone aren’t enough to improve security postures. The great news is that it looks as though these increases are being accompanied by the use of more strategic, risk-based approaches to cybersecurity. A few years ago, the major driver of security investments was meeting compliance requirements, and investments were made to “check the box.” However, this latest research revealed that CISO’s are now using a more strategic “framework” approach to prioritize risk and investment. In fact, frameworks ranked as the top approach being used by CISOs for cybersecurity investment.

These frameworks can be a vastly superior method for building and growing an effective cybersecurity program, as organizations plan security investments around business priorities and risks rather than perceived technology and compliance requirements. Interestingly, we found that many CISO’s were creating customized frameworks based on their unique business models and assets, typically based on subsets of industry standards such as NIST, ISO, and COBIT.

The New Challenge: Skills and Staffing
However, as security budgets grow, so do the number of new and open security staff positions, creating a void that CISOs are struggling to fill. It’s well known that we as an industry are facing a massive cybersecurity workforce shortage, which is predicted to reach over 1.5 million open and unfilled positions by 2020. One CISO in the study said he had three open positions that were left unfilled for months, and he had only just found two suitable candidates.

This workforce challenge goes beyond just the numbers; it is also exacerbated by a growing skills gap. Many of the CISOs in the study reported that they weren’t able to take full advantage of their technology investments because security staff couldn’t fully consume all of the features and advanced applications. The end result is that CISO’s are faced with increased pressure to implement robust security programs with larger budgets while, at the same time, they struggle to find staff and skills to make these visions a reality.

What’s the solution? While this clearly isn’t a problem that can be fixed overnight, there are both short and long term steps organization can take to address the cyber skills challenge:

Outside Help: One option for companies struggling with the talent shortage is to supplement skills and resources via service providers through staff augmentation and consulting. In our work with clients, we’ve seen that many companies are now exploring alternate deployment models such as managed security services, Security-as-a-Service (SaaS) and integrated appliances.

Intelligence Sharing: CISOs are increasingly relying on peer networks and third-party data to enhance their threat intelligence. To help with this movement, this year IBM opened up its threat data with the creation of IBM X-Force Exchange, a platform that encourages the sharing of real-time threat data, research and intelligence across organizations. Individual industries also have their own intelligence sharing platforms, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Retail Information Sharing & Analysis Center.

Education and Training: While service contracts, alternative deployment models and information sharing can help minimize the impact of the skills gap in the near term, we must also focus on building a strong security workforce prepared for the threats that lie ahead. Security leaders and academic institutions must collaborate to improve skills development for the future security workforce, integrating business components into technical curriculum and vice versa. Additionally, security experts can help academia by providing tools and helping develop curriculum that mimics real-world conditions and the challenges of today’s security leaders.

Despite these challenges, it is exciting to see our industry transforming towards programs and practices based on managing risks instead of checkboxes. While it’s no secret that hackers are strategically becoming more collaborative and sophisticated in the battle for corporate data, it’s encouraging to see that companies are now evolving their own investments and security programs to do the same.