Author: Frank Downs, Director and SME, Cyber Security Practice, ISACA
Since the emergence of information security online, organizations have poured millions of dollars into products promising to increase speed of incident recognition, response times and overall operational efficiencies. To a certain extent, the idea that automation and enablement work hand-in-hand has proved out over the past several decades. As such, for many years, organizational security budgets have favored products over services. However, a recent Forrester report has identified that, in the last two years, more funding from security budgets has been dedicated to obtaining services over products. Further research supports that one of the main causes for the increase in service spending is lack of trained professionals and the ability to establish a proper framework in which to perform risk management. This trend may continue to grow as organizations scramble to address their deficiencies.
Observing the field of cybersecurity, it comes as no surprise that good help is still hard to find. In fact, ISACA’s State of Cybersecurity 2020 indicates that over half of managers in the information security field view their organizations as understaffed. Furthermore, the average vacancy for a new position on a cybersecurity team remains open, on average, for at least three months, placing more pressure on organizational teams. These statistics lend credence to the suggestion that, in lieu of proper staffing, organizations will reach out to service-offering companies to fill the gap. Tim Bandos, the Vice President of Cybersecurity at Digital Guardian, echoed this sentiment at the recent RSA conference, stating that it is “lack of resources and technical capability” that are driving organizations toward greater investment in services. Bandos gave an example of implementing a new data loss prevention (DLP) solution, stating that “it’s hard to implement a DLP program … it’s going to take a while to get a program up and running … services will get you up and running on day one.” Bandos stated that many products will provide companies with the data needed to make impactful decisions and increase their cybersecurity posture, but low staffing and resources results in lack of understanding, time, or ability to meaningfully use the data. Bringing in a service can help resolve the issue.
Bandos’ example of efficient data usage aligns with both organizational sentiment and reports that indicate that data ownership does not equal data comprehension. Specifically, Forrester researchers discovered that organizations with a small security budget place “improving security analytics and capabilities” as their top priority for 2020. This especially makes sense coming from organizations with smaller security budgets – people are always more expensive than services. Bandos provided another example wherein applying certain comprehensive solutions across an entire enterprise could cost over US$1 million, should he hire an in-house team to staff and implement the solution, per year. However, services can provide the same implementation, customization, and reporting, for a fraction of the same cost – the one-year savings could fuel a multiyear implementation.
Knowing where to apply the saved budget also points to the need for prioritization of effort and funds – and lack of a risk management framework to guide those efforts. It is no wonder, according to Forrester, that one of the top priorities for both low-budget and higher-budget security spenders is establishing a formal technology/IT risk framework. No matter the amount of funding organizations devote to cybersecurity, without a framework, such as those in the CMMI Cybermaturity Platform, organizations are unable to apply their efforts effectively. These frameworks can help companies establish their risk profile and understand where their true vulnerabilities lie. In turn, they can appropriately divert funds and effort to trouble areas and increase their level of security.
The shift of focus in security spending from products to services should not be surprising to anyone watching the cybersecurity field mature. As the field is still relatively nascent, it is understandable that the workforce is not fully developed. While those future cybersecurity professionals grow and learn, organizations will still need to rely on services to fill in the gaps and frameworks to help them identify where those gaps exist.