Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Bob Kalka
Bob Kalka
Connect Directly
E-Mail vvv

Bad News is Good News For Security Budgets But Not Skills

Cybersecurity is finally getting the attention - and dollars - it deserves from the C-Suite. The challenge now is finding the talent to take full advantage of these technology investments.

Phineas T. Barnum, the famous showman and circus owner once said, “There’s no such thing as bad publicity.” Today, senior executives in the midst of a cyber breach would likely run Mr. Barnum out the door in response to such a contextually cheeky quote.

However, Barnum might have actually been on to something.  Recent research (registration required) conducted by the Darwin Deason Institute for Cybersecurity at Southern Methodist University, sponsored by IBM, shows that media coverage of data breaches is actually a top factor driving increased budgets and board level support for cybersecurity. Based on in-depth interviews with dozens of chief information security officers across retail, healthcare, government, and financial industries, the study revealed several signs that highly publicized data breaches are actually helping to improve enterprise information security.

The reason? Measured by amplified budgets and increasingly strategic security programs, cybersecurity is finally receiving due attention from the C-suite. However, this evolution comes with a new challenge: finding the staff and skills to implement these changes.

Let’s start with the good news
According to the research, CISOs are reporting positive strides in terms of C-Suite support and board-level awareness for cybersecurity. In fact, 85% reported that upper-level management support has been increasing, and 88% said that their security budgets have increasedIn the words of one CISO in the survey, “Honestly, I have not seen a case where I asked for money and it's been turned down.”

While growing budgets and senior-level support are a big win, those factors alone aren’t enough to improve security postures. The great news is that it looks as though these increases are being accompanied by the use of more strategic, risk-based approaches to cybersecurity. A few years ago, the major driver of security investments was meeting compliance requirements, and investments were made to “check the box.” However, this latest research revealed that CISO’s are now using a more strategic “framework” approach to prioritize risk and investment. In fact, frameworks ranked as the top approach being used by CISOs for cybersecurity investment.

Top security prioritization approaches
Source: 'Identifying How Firms Manage Cybersecurity Investment,' IBM-sponsored study by the Darwin Deason Institute for Cyber Security, Southern Methodist University.
Source: Identifying How Firms Manage Cybersecurity Investment, IBM-sponsored study by the Darwin Deason Institute for Cyber Security, Southern Methodist University.

These frameworks can be a vastly superior method for building and growing an effective cybersecurity program, as organizations plan security investments around business priorities and risks rather than perceived technology and compliance requirements. Interestingly, we found that many CISO’s were creating customized frameworks based on their unique business models and assets, typically based on subsets of industry standards such as NIST, ISO, and COBIT.

The New Challenge: Skills and Staffing
However, as security budgets grow, so do the number of new and open security staff positions, creating a void that CISOs are struggling to fill. It’s well known that we as an industry are facing a massive cybersecurity workforce shortage, which is predicted to reach over 1.5 million open and unfilled positions by 2020. One CISO in the study said he had three open positions that were left unfilled for months, and he had only just found two suitable candidates.

This workforce challenge goes beyond just the numbers; it is also exacerbated by a growing skills gap. Many of the CISOs in the study reported that they weren’t able to take full advantage of their technology investments because security staff couldn’t fully consume all of the features and advanced applications. The end result is that CISO’s are faced with increased pressure to implement robust security programs with larger budgets while, at the same time, they struggle to find staff and skills to make these visions a reality.

What’s the solution? While this clearly isn’t a problem that can be fixed overnight, there are both short and long term steps organization can take to address the cyber skills challenge:

Outside Help: One option for companies struggling with the talent shortage is to supplement skills and resources via service providers through staff augmentation and consulting. In our work with clients, we’ve seen that many companies are now exploring alternate deployment models such as managed security services, Security-as-a-Service (SaaS) and integrated appliances.

Intelligence Sharing: CISOs are increasingly relying on peer networks and third-party data to enhance their threat intelligence. To help with this movement, this year IBM opened up its threat data with the creation of IBM X-Force Exchange, a platform that encourages the sharing of real-time threat data, research and intelligence across organizations. Individual industries also have their own intelligence sharing platforms, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Retail Information Sharing & Analysis Center.

Education and Training: While service contracts, alternative deployment models and information sharing can help minimize the impact of the skills gap in the near term, we must also focus on building a strong security workforce prepared for the threats that lie ahead. Security leaders and academic institutions must collaborate to improve skills development for the future security workforce, integrating business components into technical curriculum and vice versa. Additionally, security experts can help academia by providing tools and helping develop curriculum that mimics real-world conditions and the challenges of today’s security leaders.

Despite these challenges, it is exciting to see our industry transforming towards programs and practices based on managing risks instead of checkboxes. While it’s no secret that hackers are strategically becoming more collaborative and sophisticated in the battle for corporate data, it’s encouraging to see that companies are now evolving their own investments and security programs to do the same.


Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Bob Kalka is Vice President of IBM Security, responsible for IBM's global technical sales, strategic accounts and enablement programs. He has held a number of leadership positions in product management, sales, business development, marketing management and product ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andre Gironda
Andre Gironda,
User Rank: Apprentice
11/16/2015 | 2:56:24 PM
Re: Skills gap is verified by ISACA studies as well - good article
No degree should ever be necessary for any job in cyber risk or infosec.

A Security+ for entry-level and CISSP is a nice-to have for non-entry-level. Best place to recruit is at local chapters that do not charge any membership fees or pay any dues, e.g., OWASP. The chapter meeting locations should always be at a focal point of your city's public transportation crossways and always, always, always should be handicap-accessible.

As for the minimum-years per technology acronym or buzzword -- those requirements just need to go away completely. They are so annoying to everyone involved. Who writes these?
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/31/2015 | 5:44:01 AM
Re: Skills gap is verified by ISACA studies as well - good article
I think the number-one contributor to this problem is "purple squirrel" hiring tactics.  10 years of experience with nascent technology.  A minimum of three certifications.  And, of course, a masters or better.

Meanwhile, US government email accounts and other government systems are getting pwned by high schoolers.
User Rank: Apprentice
10/29/2015 | 10:56:45 AM
Skills gap is verified by ISACA studies as well - good article
Bob, you are on target regarding the need for skilled cybersecurity professionals. Another recent study found that 82% of organizations expect to be attacked in 2015, but they are relying on an unqualified talent pool. The State of Cybersecurity: Implications for 2015 study conducted by ISACA, a global leader in cybersecurity, and RSA Conference also found that more than half say it can take as long as six months to find a qualified candidate; and more than a third are left with job openings they cannot fill. The current high risk environment is made worse by this global lack of skilled talent. ISACA is working to close this gap through its Cybersecurity Nexus (CSX), which offers innovative skills-based training and performance-based certifications to meet complex business needs. It is critical that we work together to address this issue. Thanks for sharing your insights. Christos Dimitriadis, Ph.D., CISA, CISM, CRISC International President, ISACA
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.