90-Day Spending. A total of 44% of respondents say their organization’s information security spending will increase over the next 90 days – down eight points from the previous survey in February. Only 4% say spending will decrease.
Security Incidents. Three-quarters of respondents said they have not experienced a significant security incident over the last 12 months. However, a closer look indicates that the number varies widely between small and large companies.
Security Skills Shortage. Respondents were asked a series of question with regard to staffing for information security. For 67% of respondents they are facing a skills shortage when it comes to staffing for information security.
Security Policies. The majority of respondents 81% have written security policies in place. Acloser look by company size shows that number is much lower for very small organizations (69%) with less than 250 employees and increases to 96% for very larger organizations.
By Tracy Corbo
Information Security Spending Trends
A total of 44% of survey respondents say their organization’s information security spending will increase over the next 90 days – down 8 points from the previous survey in June 2017. Only 4% say spending will decrease, which is up one point from the previous survey.
According to Daniel Kennedy, Research Director for Information Security, "This does not indicate that security budgets are going down, they're in fact increasing for many organizations, just perhaps not at the rate needed to meet the challenges and demands of the threat landscape security managers are collectively facing."
Last 14 Months. Looking at IT security spending plans over the last 14 months indicates that spending remains relatively strong. Current spending plans are down slightly, but on par with November 2016 findings.
Incidents and Pain Points
Incidents. When asked whether their organization had experienced any significant security incidents over the past 12 months, three-quarters of respondents said No. However, a closer look by company size indicates that the number jumps to over 83% for companies with less than 1,000 employees, while it drops to 56% for very large organizations.
According to Daniel Kennedy this difference between large and small organizations can point to the benefit that larger organizations gain from their greater level of investment in security monitoring, so that they are in a better position to detect breaches than smaller organizations.
Pain Points. User Behavior (34%) remains the biggest pain point, followed by Organizational Politics/Lack of Attention to Information Security (21%) and Staffing Information Security (21%).
Top Security Concerns. The top security concerns over the last 90 days were Hackers/Crackers with Malicious Intent (53%) and Compliance (49%).
Amidst discussions of new security tools and technologies, it’s important to remember that general IT best practices can make a difference, as one commentator pointed out:
Their solution to the threat from hackers has been to significantly limit access – “Take away admin rights [and] a lot of the rights of people inside the network. Really tightening in every way what users can do, so that if they are infected, we can limit the damage that the infection will do.”
Inadequately Addressed Security Threats. Respondents were also asked which security threats they believe are currently inadequately addressed within their organization. The internal problem of Preventing/Detecting Insider Espionage (28%) and the external threat from Hackers/Crackers with Malicious Intent (23%) continue to be the top security concerns.
In the words of one information security respondent:
The real concern is the people and not the tech – “[The greatest insider threat] is always going to be people … People are the only wild-card. The technology can be trusted.”
Security Skills Shortage. Respondents were asked a series of questions with regard to staffing for information security. For 67% of respondents they are facing a skills shortage when it comes to staffing for information security. For very large companies with over 10,000 employees that number jumps to 78% who said Yes.
Fixing Skills Shortage. In order to address the security skills gap slightly more than half of the respondents plan to train existing staff and 44% will hire contractors. While 35% said they would hire new staff a closer look by company size shows this is a strong options for very large organizations with more than 10,000 employees (51%) in contrast to just 26% of very small organizations with less than 250 employees.
Recruiting and Retaining Staff. Respondents were asked to rate the degree of difficulty in recruiting and retaining information security staff on a 10 point scale where 0 is ‘Not at All Difficult’ and 10 is ‘Extremely Difficult’. Information security proves to be one of the more difficult areas to hire for, 44% rated it with a High Difficulty (8-10) and an equal number rated it a Moderate Difficultly (5-7). The overall mean was 6.7.
In terms of retaining staff while the mean was slightly lower 5.8, for 78% of the respondents 51% rated it of Moderate Difficulty (5-7) and 27% of High Difficulty (8-10).
Level of Satisfaction. Using a 0-10 scale, where 0 is ‘Poor’ and 10 is ‘Excellent,’ respondents were asked to rate the ability of their information security team to meet their organization’s needs. A total of 54% said that they Adequately Met (5-7) the organization’s needs. Only 15% selected Poorly Met (0-4).
The majority of respondents 81% have written security policies in place, but a closer look by company size shows that number is much lower for very small organizations (69%) with less than 250 employees and increases to 96% for very larger organizations.
Effectiveness of Enforcement. Using a 0-10 scale, where 0 is ‘Low Effectiveness’ and 10 is ‘High Effectiveness,’ respondents were asked to rate the effectiveness of the enforcement of the security policies at their organizations. A total of 57% rated them as being of Moderate Effectiveness (5-7) and 31% said they were of High Effectiveness (8-10). Only 12% selected Low Effectiveness (0-4).
You can access a PDF version of this 451 Alliance report here.
If you have any questions about your 451 Alliance membership, please contact 451Alliance@451Alliance.com
451 Research, LLC does not make any warranties, express or implied, as to the information presented in this report.
1411 Broadway Suite 3200, New York, NY 10018
Appendix: Security Technology Definitions