Enterprise security spending less on skills, more on technology

Why are enterprises spending more on tools, and less on people? Good question.

Sure, enterprises are investing more in their cybersecurity efforts: but is that a good thing? It could be, depending on how it is being spent.

According to our 2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies the priority for security spending in the next year include new technologies (47%), audits and assessments (40%), new skills and capabilities (33%), redesign cybersecurity strategy (24%), and a redesign of processes (15%).

Why is so much spending being targeted at technology and so little on people? There are likely a confluence of reasons, including some enterprises having to play catch-up to get their program up to par, some simply can’t find the talented people they need, and others are likely spending on the wrong things, while still others are transitioning to cloud and making the appropriate security investments.

When respondents were surveyed regarding their on-staff cybersecurity expertise – those very people capable of deploying and managing new security technologies – only 26% said that they have such skills in-house. Not encouraging.

“We could speculate and say that investment in people is slowing because the people don't exist,” says Mike Rothman, analyst at security research firm Securosis. “This is the second-order derivative of the skills gap. We may have hit the skills gap ceiling, which means we can't invest more in people because we can't find them,” says Rothman.

hat means, without adequate availability to the skills enterprises need, enterprise teams are in need to streamline and automate as much of their security program as possible. Jay Leek, chief information security officer at The Blackstone Group,  certainly is. “I'm investing in technologies that require as few people to run it, and are as flexible, as possible. We need to leverage our open APIs and write our own custom tools to automate and orchestrate the technologies to make them more efficient,” Leek says.

That’s likely a great exercise always, but an absolutely necessary one when CISOs can’t find the talent they want to hire. “I'd have to look at 100 qualified resumes, distill that down into probably 30-plus interviews, to hope that I'm going to find one person that I want to extend an offer to and hope that they're going to take my offer - because they're being chased after by dozens of other companies,” Leek explains.

The lack of talent is taking its toll, as John Johnson, global security strategist at John Deere says. “Most companies don't have the maturity level necessary to really make full use of their new products, so they need to focus on people and processes and not pizza boxes. That said, technology that helps to automate and which might give lower level actionable intelligence, or insights where traditional technologies don't, could help solve a problem without adding a lot of staff and infrastructure to support,” Johnson says.

Also, Johnson says it’s possible that the increase in technology spending may be part of the transition in the move to cloud in favor of on-premises IT. “Organizations who increasingly move to the cloud and BYOD will not want to invest in on-premises infrastructure they have to support, they will start looking for cloud security services and security vendors in that space should see significant growth,” he says.

Perhaps it’s a little bit of all of the above, says Mark Carrizosa, VP, of security at Soha Systems and recent senior security solutions architect at Walmart Global eCommerce. “It's going to be different at every company,” says Carrizosa.  “Common factors here with organizations is that they are continuously looking to keep up with the security landscape, new tools, new products, new services that are coming out to help combat their threats,” says Carrizosa.

While that may help to mitigate those risks, it still places pressure on having the right people to manage all of those tools, but, many experience CISOs and security professionals say it’s not really the size of the team that matters. “Yes, the organization needs to be able to maintain the experience and ability to manage everything. But you're starting to see security teams grow and grow and grow, and all of a sudden they end up with this huge security team of hundreds of people and each has their own silos of experience and that doesn’t make for a cohesive group,” he says.

“Some of the most effective groups that I've seen have been very small, because they've learned to "work smarter, not harder," and they utilize the tools properly and actually improve the incident response and effectiveness of their security posture,” says Carrizosa.