The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year and that figure is nearly double the $2.2 million spent in 2010 all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.
The question is, why? Why are security budgets rising but enterprises still are not getting the results hoped? "Many organisations are infatuated with buying the latest trendy thing, whether or not it makes the most sense for their specific security posture," says Jay Leek, chief information security officer at The Blackstone Group.
The 11th annual Global Information Security Survey of 9,600 executives also found that the number of organisations reporting losses of greater than $10 million per incident is up 75 percent from just two years ago. The costs of these breaches also are rising, with data breaches up 9 percent in 2013 from 2012.
One thing is certain the organisations are not spending on the technologies and capabilities best suited to help spot advanced attackers, such as malware analysis with only 51% doing so, inspection of traffic leaving the network (41%), rogue device scaling (34%), deep packet inspection (27%), or threat modeling (21%).
With all of this in mind, how do you tell if that increase in budget you received is being spent in the right areas?
The right staff
First up: make sure your team is well positioned when it comes to security staff.
"Figuring out if you are you understaffed or overstaffed can be tricky," says John Pescatore, director, emerging security trends, at SANS Institute. "If you have 10 firewalls, how many full-time equivalents does it take to manage them? If you have three people taking care of 10 firewalls, you either have really bad firewall managers or you should invest in a tool so that one person can manage those 10 firewalls," he says.
One way to evaluate staffing is to look at how many full-time equivalents are in the security program as a percentage of total IT positions. Another is to compare your security/general IT staff ratio with that ratio within your industry, and see how your security staffing stands in contrast to your peers, says Pescatore. "That's a good indication. Be sure to take into account how many full time equivalents may be in place through outsourcing arrangements, such as firewall management and monitoring," he explains.
Understaffing of security professionals is likely to create a situation where the organisation will end up pushing unsecured projects into production, unable to properly respond to incidents, or properly maintain a healthy security program. This means that those who are there will be constantly jumping from one emergency to the next.
And when it comes to security budget spending, at least in the next few years, it would be wise to invest in people while organisations still can find those who are qualified. According to a just-released study from IT certifications provider (ISC)2, about 2.25 million information security professionals were working worldwide last year. That figure is expected to leap to 4.25 million in two years. And (ISC)2 expects that there could be a 47% shortage of security professionals qualified to fill those positions.
Our own "State of the CSO" in 2013 found that this demand for skilled IT security professionals is already straining organisations' ability to attract top security talent. It is the larger companies that are most likely to increase their security resources, with 42 percent planning staffing increases, compared to 37 percent of midsize and 26 percent of small organisations. In fact, finding and retaining skilled IT security workers was identified among the greatest challenges for 31 percent of large companies.
Next section: Out with the old