IISP: Security Budgets Failing to Keep Pace with Threats
Budgets increased over the past year for two-thirds of UK information security professionals, but for a similar number they have still not kept pace with the current threat level, according to a new poll.
Some 67% of Institute of Information Security Professionals (IISP) members polled said they had more to spend last year, while 15% said budgets stayed the same.
However, unfortunately the report revealed that for 60% of those interviewed, this increase in investment didn’t match the rising cybersecurity challenges they faced.
Just 7% said budgets were rising ahead of the threat level.
IISP director, Piers Wilson, explained that just how far behind the threat level some members are will be highly variable from respondent to respondent.
“What we can say though is that security in general isn't a thing you can just through money at – there is a combination of technologies, processes and people investments needed,” he told Infosecurity.
“If you are even a bit behind, though, over time your level of protection will drop as threats escalate.”
Wilson added that the asymmetry between finite resources and the ability of organizations to protect themselves could be impossible to overcome.
“If we accept this as an ‘inconvenient truth’ then we do need to make sure we focus on being smart, prioritizing the right things, working efficiently and effectively and leveraging technology in the right way to provide an acceptable level of protection, assurance and response capability to the business,” he argued.
“Clearly this is not a trivial activity, but as the IISP works to drive up the levels of skills, professionalism and availability of expert resources, we need to keep that outcome in focus.”
The report also revealed what many in the industry already know: that there isn’t simply a shortage of staff but also a shortfall in skills and experience.
When asked what they felt there was an “insufficient availability of” the top named answers were “resources” (19%), “experience” (14%), and “skills” (8%).
To mitigate these trends, there’s an even greater need for staff training, development and retention, the report found.
Businesses are also increasingly looking at more efficient ways to deliver security – for example via automation and machine analytics, or even outsourcing to a managed services provider.
There was also a mixed response when it came to members’ opinions on how well the industry is doing at protecting systems against attack.
Although only 10% said the level of protection is declining, less than half said they thought it was getting better or much better.
In terms of protecting against data breaches, IISP members were more optimistic.
Some 47% said they thought the industry was getting better at doing so, while 2% claimed “much better.”
Once again, just 10% said the industry is getting worse or “much worse.”
Source: Information Security Magazine