Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Bob Kalka
Bob Kalka
Connect Directly
E-Mail vvv

Bad News is Good News For Security Budgets But Not Skills

Cybersecurity is finally getting the attention - and dollars - it deserves from the C-Suite. The challenge now is finding the talent to take full advantage of these technology investments.

Phineas T. Barnum, the famous showman and circus owner once said, “There’s no such thing as bad publicity.” Today, senior executives in the midst of a cyber breach would likely run Mr. Barnum out the door in response to such a contextually cheeky quote.

However, Barnum might have actually been on to something.  Recent research (registration required) conducted by the Darwin Deason Institute for Cybersecurity at Southern Methodist University, sponsored by IBM, shows that media coverage of data breaches is actually a top factor driving increased budgets and board level support for cybersecurity. Based on in-depth interviews with dozens of chief information security officers across retail, healthcare, government, and financial industries, the study revealed several signs that highly publicized data breaches are actually helping to improve enterprise information security.

The reason? Measured by amplified budgets and increasingly strategic security programs, cybersecurity is finally receiving due attention from the C-suite. However, this evolution comes with a new challenge: finding the staff and skills to implement these changes.

Let’s start with the good news
According to the research, CISOs are reporting positive strides in terms of C-Suite support and board-level awareness for cybersecurity. In fact, 85% reported that upper-level management support has been increasing, and 88% said that their security budgets have increasedIn the words of one CISO in the survey, “Honestly, I have not seen a case where I asked for money and it's been turned down.”

While growing budgets and senior-level support are a big win, those factors alone aren’t enough to improve security postures. The great news is that it looks as though these increases are being accompanied by the use of more strategic, risk-based approaches to cybersecurity. A few years ago, the major driver of security investments was meeting compliance requirements, and investments were made to “check the box.” However, this latest research revealed that CISO’s are now using a more strategic “framework” approach to prioritize risk and investment. In fact, frameworks ranked as the top approach being used by CISOs for cybersecurity investment.

These frameworks can be a vastly superior method for building and growing an effective cybersecurity program, as organizations plan security investments around business priorities and risks rather than perceived technology and compliance requirements. Interestingly, we found that many CISO’s were creating customized frameworks based on their unique business models and assets, typically based on subsets of industry standards such as NIST, ISO, and COBIT.

The New Challenge: Skills and Staffing
However, as security budgets grow, so do the number of new and open security staff positions, creating a void that CISOs are struggling to fill. It’s well known that we as an industry are facing a massive cybersecurity workforce shortage, which is predicted to reach over 1.5 million open and unfilled positions by 2020. One CISO in the study said he had three open positions that were left unfilled for months, and he had only just found two suitable candidates.

This workforce challenge goes beyond just the numbers; it is also exacerbated by a growing skills gap. Many of the CISOs in the study reported that they weren’t able to take full advantage of their technology investments because security staff couldn’t fully consume all of the features and advanced applications. The end result is that CISO’s are faced with increased pressure to implement robust security programs with larger budgets while, at the same time, they struggle to find staff and skills to make these visions a reality.

What’s the solution? While this clearly isn’t a problem that can be fixed overnight, there are both short and long term steps organization can take to address the cyber skills challenge:

Outside Help: One option for companies struggling with the talent shortage is to supplement skills and resources via service providers through staff augmentation and consulting. In our work with clients, we’ve seen that many companies are now exploring alternate deployment models such as managed security services, Security-as-a-Service (SaaS) and integrated appliances.

Intelligence Sharing: CISOs are increasingly relying on peer networks and third-party data to enhance their threat intelligence. To help with this movement, this year IBM opened up its threat data with the creation of IBM X-Force Exchange, a platform that encourages the sharing of real-time threat data, research and intelligence across organizations. Individual industries also have their own intelligence sharing platforms, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Retail Information Sharing & Analysis Center.

Education and Training: While service contracts, alternative deployment models and information sharing can help minimize the impact of the skills gap in the near term, we must also focus on building a strong security workforce prepared for the threats that lie ahead. Security leaders and academic institutions must collaborate to improve skills development for the future security workforce, integrating business components into technical curriculum and vice versa. Additionally, security experts can help academia by providing tools and helping develop curriculum that mimics real-world conditions and the challenges of today’s security leaders.

Despite these challenges, it is exciting to see our industry transforming towards programs and practices based on managing risks instead of checkboxes. While it’s no secret that hackers are strategically becoming more collaborative and sophisticated in the battle for corporate data, it’s encouraging to see that companies are now evolving their own investments and security programs to do the same.


Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Bob Kalka is Vice President of IBM Security, responsible for IBM's global technical sales, strategic accounts and enablement programs. He has held a number of leadership positions in product management, sales, business development, marketing management and product ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andre Gironda
Andre Gironda,
User Rank: Apprentice
11/16/2015 | 2:56:24 PM
Re: Skills gap is verified by ISACA studies as well - good article
No degree should ever be necessary for any job in cyber risk or infosec.

A Security+ for entry-level and CISSP is a nice-to have for non-entry-level. Best place to recruit is at local chapters that do not charge any membership fees or pay any dues, e.g., OWASP. The chapter meeting locations should always be at a focal point of your city's public transportation crossways and always, always, always should be handicap-accessible.

As for the minimum-years per technology acronym or buzzword -- those requirements just need to go away completely. They are so annoying to everyone involved. Who writes these?
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/31/2015 | 5:44:01 AM
Re: Skills gap is verified by ISACA studies as well - good article
I think the number-one contributor to this problem is "purple squirrel" hiring tactics.  10 years of experience with nascent technology.  A minimum of three certifications.  And, of course, a masters or better.

Meanwhile, US government email accounts and other government systems are getting pwned by high schoolers.
User Rank: Apprentice
10/29/2015 | 10:56:45 AM
Skills gap is verified by ISACA studies as well - good article
Bob, you are on target regarding the need for skilled cybersecurity professionals. Another recent study found that 82% of organizations expect to be attacked in 2015, but they are relying on an unqualified talent pool. The State of Cybersecurity: Implications for 2015 study conducted by ISACA, a global leader in cybersecurity, and RSA Conference also found that more than half say it can take as long as six months to find a qualified candidate; and more than a third are left with job openings they cannot fill. The current high risk environment is made worse by this global lack of skilled talent. ISACA is working to close this gap through its Cybersecurity Nexus (CSX), which offers innovative skills-based training and performance-based certifications to meet complex business needs. It is critical that we work together to address this issue. Thanks for sharing your insights. Christos Dimitriadis, Ph.D., CISA, CISM, CRISC International President, ISACA
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...