Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Cybersecurity's Ceiling

Security spending and staffing are rising, but restrained resources are tempering market growth.

The IT security market is often painted as a non-stop growth curve with no end in sight. But many analysts who have studied market trends say despite recent increases in spending and hiring, the market paradoxically is being slowed by a shortage of resources.

In some cases, upper management is putting a cap on spending and hiring. In the recently published 2017 Black Hat Attendee Survey, most security professionals say they are increasing hiring and spending. Yet, some 71% of security professionals do not feel they have enough people to handle the threats they will face in the coming year. Fifty-eight percent say they don’t have enough budget.

"Security spending is based on failure, rather than need. The more secure that you feel, the less you spend," says John Pescatore, director of emerging security trends for SANS Institute.

Cybersecurity indeed is growing, but just not as fast as you'd think.

IT security spending growth also is hampered by a lack of available talent to pull off the needed projects, says Jeff Pollard, principal analyst with Forrester Research.

"There are capacity restrictions," says Pollard. "It is not the available funds in the budget, but the fact that you can only do three, four, or five big projects a year because of the number of people, service providers, and employee skill sets you have."

One report by CyberSecurity Ventures pegs IT security spending to soar beyond $1 trillion in revenue over the course of a five-year period ending in 2021, with 12% to 15% annual growth.

But a larger pool of industry analysts and players are expecting a slightly less robust future - with annual revenue growth of less than 10%. Cisco Systems and IBM, for example, reported security revenue growth of 9% in the third quarter and 9% in the first quarter, respectively.

Gartner is projecting a more muted level of worldwide IT security spending. The research firm is predicting annual revenue growth to increase along the lines of 7.6% in 2017 to 8% by 2020, says Lawrence Pingree, a Gartner analyst and vice president.

Pingree says IT security spending is expected to reach $90.1 billion this year and increase to $113.1 billion by 2020. 

And when viewing security spending as a percentage of the overall IT budget, nearly half of 400 IT professionals surveyed in a Dark Reading report, "How Enterprises Spend Their Security Dollars," say they expect to allocate 9% or less on security, with a sizable portion of this spend coming in at 5% or less. This level of security spending will largely remain in place for the next 12 months, given 40% of survey respondents noted they did not expect an increase in their overall IT budget, which in turn trickles down to the security budgets.

One possible contributor to tight security budgets and tempered growth in the industry is a desire by companies to achieve greater efficiencies with their existing technology. "Rather than spending more on security, boards are asking 'what are you doing to spend less and do it in a better way than what we are doing?'" Pescatore says. "Security in depth is spending in depth."

IT Job Growth

The shortage of workers may also be putting a cap on security market growth. When 2022 rolls around, IT security trade organization ISC2 is predicting a 1.8 million shortfall of cybersecurity professionals to fill empty or expansion positions around the world. That, in turn, might explain the bullish job growth forecasts from the Bureau of Labor Statistics that says information security analysts should see an 18% rise in job growth between 2014 to 2024.

However, recruiting firm Robert Half Technology expects a more muted growth rate of 5% for IT security positions. Robert Half and other IT security recruiters note that with a limited pool of infosec professionals to hire, that alone is keeping a lid on massive hiring growth.

A recent Dark Reading report on Surviving the IT Security Skills Shortage found that only 14% of the 400 IT and IT security professionals surveyed believe there are a sufficient number of skilled IT security professionals available on the market.

Meanwhile, the UK's separation from the European Union under Brexit also contributed to a slowdown in IT security hiring, as a number of new programs were put on hold that would otherwise drive jobs growth, says Owanate Bestman, an information security contract consultant for recruiting firm Barclay Simpson. The GDPR, however, is an IT security jobs driver, he says, with an estimated 30% of posted positions in the first quarter having some relationship to the new regulations.

There may not be enough infosec professionals to go around to fill those GDPR slots as well as other vacant security positions, so companies will need to seek out other ways to fill the void. Ray Rothrock, CEO of RedSeal, predicts that this will not necessarily equate to IT security growth.

"How do we prepare for this chronic skilled labor shortage?" Rothrock asks. "We need to learn to work smarter, to do more with less, to prioritize assets and vulnerabilities, to automate and integrate as much as possible."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bradprat
50%
50%
bradprat,
User Rank: Apprentice
8/22/2017 | 9:55:33 AM
Re: Dulhan story
Quite an interesting article, thank you.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/17/2017 | 9:39:25 AM
Interesting discussion
Agree - actually BOTH inputs, human and AI are important.   I would trust, going forward, AI for the grunt work of malware analysis and then let a human evaluate threat disposition.  Remember the old movie WARGAMES where the argument was made to let WOPR run the national nuclear defense network - take the human out of the equation, and look how that turned out.  AI cannot replace human involvement - it can supplement it to a good degree and probable that is the larger degree.  FASTER too.  
juliettesultan
50%
50%
juliettesultan,
User Rank: Apprentice
8/16/2017 | 11:27:18 PM
Re: This is a little off-subject, but .....
As the daughter of two dentists, i would agree to that.  But my father always told me that some help in running scenarios for diagnostic could help, though in the end he would make the call.  I believe AI can help IT security professional sort through the noise and provide alerts in the rigth direction, human intervention is still needed to review and make the ultimate decision.

This is how AI will help us and we need to see it for what it is, a helping technology, and stop fighting it by fear that it will replace humans one day.  I do not believe it will.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2017 | 10:53:56 AM
This is a little off-subject, but .....
A few years ago I was discussing the involvement of computers with medical practice - with a dentist to be precise - and as much as computers (by ext, AI) could and did benefit his business, he also said this.  That when a surgeon is cutting and feeling his way around a patient on the table, computers cannot FEEL what his or her fingers FEEL and process that data to the brain.  Something to be said for that.
juliettesultan
50%
50%
juliettesultan,
User Rank: Apprentice
8/16/2017 | 9:32:26 AM
Re: False Positives
True, but it is life in cybersecurity.  Any threat prevention software out there have false positive, AI ( and i do not mean Watson) and machine learning technologies have more capabilities to actually learn from false positive and factored them in their algorithm.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2017 | 8:18:14 AM
False Positives
AI must also be capable of detecting an infinite variety of false-positive hits, software that seems malicious, could be but is not after careful review.  WATSON is not the solution to everything in the western world.  
juliettesultan
50%
50%
juliettesultan,
User Rank: Apprentice
8/15/2017 | 6:38:53 PM
This is where artificial intelligence will help
AI will help IT professionals work smarter, faster with the help of machine learning technologies.  If we cannot train a reasonable pool of new IT security professionals to meet the industry needs, AI will start supplementing for that and cybersecurity vendors are embracing the technology at a fast and furious pace.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: The newest Alienware laptop practically runs itself!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
CVE-2021-3287
PUBLISHED: 2021-04-22
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
CVE-2021-31547
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
CVE-2021-31548
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.