Security doesn’t just have a talent problem – it has a spending problem too, survey shows

Join today’s leading executives online at the Data Summit on March 9th. Register here.

As much as cybersecurity spending has risen in recent years, it still has a ways to go before businesses are at an adequate level, according to a new survey of IT security leaders.

Research firm Gartner forecast that cybersecurity spending in 2021 would reach $150.4 billion, up 12.4% from the year before. Notably, that rate of spending growth in security nearly doubled the rate of 6.4% from 2020.

Spending has surged following a series of high-profile breaches, along with massive security challenges for many companies resulting from continued remote work and accelerated digital transformation.

“When the threat environment elevates almost exponentially from the prior period, what happens right after that? Massive customer spending,” said Dave DeWalt, the former CEO of FireEye and McAfee, and now the founder and managing director at venture firm NightDragon, in a recent interview with VentureBeat.

However, half of security leaders aren’t yet satisfied, according to a survey released today by security operations provider Arctic Wolf.

The company’s State of Cybersecurity 2022 Trends report surveyed more than 300 IT security decision makers located worldwide. The survey found that 50% of security leaders believe their organization’s cybersecurity budget “fails to meet the minimum figure they need to remain on track with their security goals.”

This suggests that the widespread issue of a shortage of security talent may not just be about a shortfall in the supply of cybersecurity professionals to meet the huge demand, says Ian McShane, field chief technology officer at Arctic Wolf.

Under-investment

Instead, businesses clearly still aren’t spending enough on security — and on top of that, they’re not deploying the budget that they do have in the right ways, McShane said in an interview.

“We’ve been talking about security teams being overburdened and understaffed for at least a decade,” he said.

And that hasn’t changed even with the spike in cyber spending during the past few years, McShane said. “They’re not investing enough in people,” he said.

Meanwhile, too many companies are hung up on hiring “rockstars” and “unicorns” in security, McShane said. Companies have been keen to hire people they expect to hit the ground running and have an instant impact, rather than looking for people with fewer years of experience who can learn on the job, he said.

“I don’t believe that there’s a talent shortage,” McShane said. “I think that [companies] are struggling to attract the talent they’re looking for, because they’re looking for the wrong kind of talent.”

Additionally, many companies are spending more than they need to on security tools — some of which go unused or under-used — and that money that could be re-allocated to staffing and training, he said.

If an average organization has 50 security tools, “maybe they don’t necessarily need to have all those 50 tools,” McShane said. “If you haven’t got enough people, how many of those tools are actually being used?”

Most organizations, he said, could benefit from an audit of what they spend on tooling and answer some tough questions such as, “Am I using this to the best of its ability?” and, “What would happen if I stopped using this?”

For example, “maybe you don’t renew 20 of those products and you hire four people that gives you a 24 x 7 shift capability,” McShane said.

Ultimately, alert fatigue is not the only issue affecting security staff — “it’s the inability to do enough tactically and strategically to keep the security ship afloat,” he said. “And I think the frontline staff are asking why more isn’t being spent where it’s needed.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More

Source: Read Full Article