For the past two years, IDG Communications—CSO's parent company—has conducted the Security Priorities study, an examination of the CSO's place in the business, his/her challenges, and what their priorities and purchasing plans are for the coming year. The survey is extensive, so I've broken my analysis into two posts.
In the first part of this post (The CSO's Role & Priorities - Part I), I examined the growing role of CSOs in today's businesses, how security and IT - while often separate - are finding it more critical than ever before that they work hand-in-hand. I discussed how security budgets are rising to meet these new demands. Finally, I shared how CSOs are exercising influence over the parts of the enterprise that pose risk, but which they do not control.
Where are CSOs focusing their investments?
Not too surprisingly the survey found that, as in the past, when a new risk or security demand arises, the first instinct of the security team is to buy a new product or service to mitigate the risk.
Nearly half of those surveyed (46%) indicated that their first action is to add new technologies to address cyber risks. They also told us that they conduct audits and assessments (34%), as well as look to add new skills and capabilities to their team (32%).
This continues to be great news for the vendor community, but it builds on one of the biggest problems that CSOs have: complexity.
Growing enterprise complexity makes it increasingly difficult to get accurate, actionable information out of the system(s) that they have in place. In addition, it usually demands high, ongoing maintenance costs as well as costs associated with the people who must administer and maintain these systems. I know several CSOs who have gone into new positions and discovered 4 or 5 different DLP solutions being used in the same environment. As the complexity and threat demands only increase, this type of messy security stack does not contribute to better risk management.
Where are security dollars being invested?
As you might imagine, the bulk of security dollars are being invested in traditional blocking and tackling technologies and services. Things like firewalls, AV, access and identity management continue to be key areas of investment either for maintenance or upgrades. What is telling, however, is what new technology areas are being invested in.
As was the case last year, businesses are investigating or piloting technologies like behavioral monitoring (53%), big data analytics (52%), cloud data protection (51%), and cloud access security brokers (48%). What changed was that this year we added Zero Trust and Blockchain to the list of technologies - and they shot right to the top, #1 and #2 respectively. This is consistent with what we've been hearing from CSOs in our conversations with the community. Zero Trust (at 52% investigating or piloting) has been around for a decade, but as traditional security perimeters have evaporated and enterprise complexity has exploded, Zero Trust is becoming an area of significant appeal.
Blockchain is an area of active research by 39% of respondents, but fewer CSOs are piloting projects (7%) or have moved to actual deployment (7%), and in fact a higher percentage (42%) have no immediate interest in Blockchain at all.
There is a cautionary tale here in that many organizations are easily distracted by bright & shiny objects. Just how organizations will use blockchain and its long-term benefits are still to be seen.
What's driving technology investments?
The driving story this past year has been compliance. In the age of GDPR we clearly witnessed its impact on how, and why, businesses invest in security. Over the past two years we've seen a number of enterprise security projects get pushed to the back burner as businesses geared-up to address the looming deadline of GDPR in May 2018. It was the "little Y2K" of the security industry. We expect those sidelined projects will now be moved back into development and production until the next great regulation (CCPA?) comes along.
What really jumped out of the survey was the impact regulation and compliance have on why businesses invest in security. For as long we've surveyed the market, we've found that the top reason to invest in security was because something bad happened: to their company, to a competitor, or to some other business whose security breach made headlines.
This year the story was about compliance, with those indicating compliance as the top driver behind security (69%) outpacing those indicating response to a security event in their business (36%) was the driver, by nearly two to one. This was even more true in heavily regulated industries (like healthcare and financial services) and in businesses with more than 1,000 employees.
The greatest challenge with compliance as the primary driver is that it draws security teams away from being strategic. We know from past research that when security teams are free to focus on strategic issues (vs. tactical) they can realize significant benefits, including less downtime and fewer financial losses due to security incidents. This year, security teams cited "meeting governance and compliance mandates" as the top issue pulling them away from being strategic. That was even more exaggerated in companies with more than 1,000 employees. 2018 was the year of compliance.
Staffing challenges are a major blind spot
It's no surprise to anyone in this industry that we're facing a massive shortfall in qualified security personnel. This has been building for a number of years, but this year's survey data paints a somewhat less than rosy picture.
One out of every ten enterprise businesses have ten or more open headcounts in their security department. One-third have at least three or more. Our survey data indicates that open positions are not isolated to a few specific roles, such as engineers or architects, but rather are pervasive across nearly all security jobs. Yet despite their current vacancies, nearly half (48%) of enterprise businesses plan adding FTE (full time employee) headcount in 2019, and one-third plan to add more contract or outsourced employees.
Add to this the turnover of CSOs fueled by the demand for experienced security leaders. This drives-up compensation across the board. We're seeing recruiters for CSO/CISO positions present total first year compensation in the millions of dollars.
As security continues to come into its own and play an increasingly important role in the enterprise, one can see how these challenges will continue to multiply as threats become more pervasive, attackers more sophisticated, enterprise complexity explodes, and senior management and the board of directors demand more accountability. Hold on...it's going to be a fun ride.