Evolving risks and business technologies shift focus in security budgets
Stories by George V. Hulme
Ever consider conducting your own security research but didn’t know where to start? DataGravity CISO Andrew Hay has some advice for you.
There’s no shortage of arguments that cybersecurity needs to be aligned with the needs of the business, or that security is now a “boardroom issue.” And it seems that a new report or study is issued every day that states that boards of directors are more involved with their organizations’ cybersecurity efforts than ever before.
There is little doubt cybersecurity is a hot career path right now. According to labor analytics firm Burning Glass, cybersecurity job postings grew 74% from 2007 through 2013 – a rate of growth that was twice as rapid as all IT jobs combined. And demand for cyber information security positions certainly hasn't let up since.
It's always amazing how little attention social engineering attacks get when discussing enterprise information security risks. After all, it's usually easier to get an unsuspecting employee to click on a link than it is to find an exploitable vulnerability on a reasonably hardened webserver. Social engineering attacks come from many different angles: from targeted e-mails, phone call pretexting, or acting like a service technician or other innocuous person to obtain access to the IT resources and data they seek.
No more is it enough to think that securing your iPhone with a simple 4 digit PIN is adequate.
In 2014, it seemed that no industry went unscathed. The data breaches this year were broad and deep. Software maker Adobe was hit for 152 million records. Online marketplace eBay was drained of another 145 million; Bank and financial services firm JP Morgan Chase 76 million; retailers Target and The Home Depot for another 70.
The year since our previous Global Information Security Survey won't go down as one of the better years for information security. In fact, it may go down as one of the most grueling.
Online criminals remain at least one step ahead of many IT groups, according to this year's "U.S. State of Cybercrime Survey," conducted annually by CSO magazine, the Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PricewaterhouseCoopers. Deterrence and detection are both falling short of their goals: The 500 survey respondents faced an average of 135 security incidents last year, and 34 percent say that number was up compared to the previous year. Just one-third of respondents could estimate losses from their breaches; among those who could, the breaches cost $415,000, on average. Legal liabilities and lawsuits after breaches add to the costs.
There's certainly no shortage of claims regarding the current shortfall of cybersecurity professionals. These findings show up repeatedly in our surveys, most recently the 2014 Global Information Security Survey and the 2013 State of the CSO, which both revealed that the demand for skilled IT security professionals continues to strain organizations' ability to fill security positions. Finding skilled information security workers was identified as one of the greatest challenges for 31 percent of large companies.
It is said that an enterprise is only as secure as its weakest link. Today, that weak link often turns out to be partners, suppliers, and others with persistent network and application access.
DevOps is all about collaboration between operations teams and development teams. And the increase in collaboration should help enterprises to become more agile, eliminate waste, and automate, while also creating a more reliable infrastructure. It's about rapidly iterating, continuously improving, and being more competitive.
The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year – and that figure is nearly double the $2.2 million spent in 2010 – all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.
IT security pros with the right skills are in big demand. Last year, the employment rate for information security managers averaged .9%, as we reported in High CISO employment rates means shortage for security industry. That's as close to actual full employment as one can get.
Today's information security professionals need to learn more swiftly, communicate more effectively, know more about the business, and match the capabilities of an ever-improving set of adversaries. But, it doesn't seem too long ago that all it took to survive in the field was a dose of strong technical acumen and a shot of creativity to protect the network, solve most problems, and fend off attacks.