Cybersecurity is in the news almost daily with much-publicized ransomware attacks and data breaches affecting organizations worldwide, with increasing involvement by state-sponsored sophisticated hackers. Investment in cybersecurity, whether by established corporations or venture capital is rising accordingly, as well as the stature and business significance of cybersecurity operations. But a persistent skills shortage continues to impede the progress of successful cyber defense, driving organizations to increasingly look for outside help in the form of consulting and managed security services.
Cybersecurity investment rising rapidly
Cybersecurity continues to be one of the hottest tech sectors in recent history. According to Gartner, worldwide spending on cybersecurity will reach $86.4 billion in 2017, up 7% over last year. Spending on both security services and products is expected to keep growing into 2018, reaching $93 billion by the end of the year.
The increased spending on cybersecurity is reflected in its rise to the top of the business priorities list. A survey by analyst firm Enterprise Strategy Group (ESG) has found that for 39% of organizations, improving cybersecurity is the most important business initiative driving IT spending in 2017 and that 69% of organizations are increasing their cybersecurity budgets this year, more than any other area. And 81% of cybersecurity professionals agree that improving security analytics and operations is a high priority at their organizations.
As concerns by corporations and government agencies grow over the impact of data breaches, investors have been making more deals to private cybersecurity companies than ever before. Cybersecurity startup funding hit an all-time quarterly high in terms of number of deals in the first quarter of 2017, up 26% from the previous quarterly high. The trend held through the second quarter, which saw just one fewer deal (145 total) compared to the previous quarter. The amount of disclosed equity funding to cybersecurity companies has also recently broken records, reaching an all-time quarterly high of $1.6 billion in the second quarter of 2017, according to CB Insights.
Transforming cybersecurity operations into strategic digital risk management
While many organizations continue to think of cyber-risk solely in terms of internal network penetration and defense, others are developing a more comprehensive risk management strategy that includes all digital assets—websites, social networks, VIP and third-party partner exposure, branding and reputation management, and compliance. Says ESG: “It Is no longer a case of just spending dollars on perimeter-focused cybersecurity but [organizations] need to move to a more holistic digital risk strategy designed to analyze threat intelligence, monitor deep web activities, track the posting of sensitive data, and oversee third parties.”
With the transformation of cybersecurity into comprehensive risk management, Gartner predicts that by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today's 40%. The key in presenting to the board, says Gartner, is to connect the cybersecurity program goals to business risks. In other words, to explain why risk and security are important to non-IT decision makers. A simple example would be a discussion of implementing a process for managing third-party risk to support a business's cloud strategy.
Cybersecurity skills shortage continues to hamper security
There are currently more than 348,000 open security positions, according to CyberSeek. By 2022, there will be 1.8 million unfilled positions, according to the Center for Cyber Safety and Education.
The industry needs and will continue to need new kinds of skills as cybersecurity evolves in areas such as data classes and data governance, says Gartner. Changes in cybersecurity will require new types of skills in data science and analytics and adaptive skills will be key for the next phase of cybersecurity.
58% of cybersecurity professionals responding to an ESG survey strongly agree or agree with the statement “Security analytics and operations effectiveness is limited because of employee skills gaps.” Other than hiring and training, CISOs must look for new types of intelligent security analytics technologies, automate/orchestrate security operations processes, or find managed service providers who can fill these gaps to bolster the productivity of the existing cybersecurity staff, ESG recommends. Additional findings regarding the cybersecurity skills shortage:
- 45% of organizations say they have a problematic shortage of cybersecurity skills.
- 33% say their biggest shortage of cybersecurity skills was in security analysis and investigations.
- 54% believe that their cybersecurity analytics and operations skill levels are inappropriate, while 57% of survey respondents believe that their cybersecurity analytics and operations staff size is inappropriate.
Demand continues to far outstrip supply. While 81% of the cybersecurity professionals ESG surveyed say that their organization plans to add cybersecurity headcount this year, 18% of organizations find it extremely difficult to recruit and hire additional staff for cybersecurity analytics and operations jobs and another 63% find it somewhat difficult to recruit and hire additional staff for cybersecurity analytics and operations. Gartner recommends focusing the cybersecurity team on the most important tasks and automating the manual ones, such as log reviews. It tells CISOs to review their job listings to see if they are hiring for positions that should really be outsourced.
Organizations increasingly look for help in managing security
All organizations need cybersecurity help, says ESG. While companies are still buying new security tools, these products are often accompanied by professional services, helping companies manage and optimize their security portfolio. As a result, many CISOs are now looking at cybersecurity through a portfolio management lens and figuring out which areas to outsource to MSSPs and SaaS providers.
According to Gartner, 40% of all managed security service (MSS) contracts in 2020 will be bundled with other security services and broader IT outsourcing (ITO) projects, up from 20% today. To deal with the complexity of designing, building and operating a mature security program in a short space of time, says Gartner, many large organizations are looking to security consulting and ITO providers that offer customizable delivery components that are sold with the MSS. As ITO providers and security consulting firms improve the maturity of the MSS they offer, customers will have a much broader range of bundling and service packaging options through which to consume MSS offerings. The large contract sizes associated with ITO and security outsourcing deals will drive significant growth for the MSS market through 2020.
IDC estimates that services will be the largest area of security-related spending over the next five years, led by three of the five largest technology categories: managed security services, integration services, and consulting services. Together, companies will spend nearly $31.2 billion, more than 38% of the worldwide total, on these three categories in 2017.
Increased confidence in cloud cybersecurity
Only 5 years ago, concerns about adequate security were cited as one of the top reasons for not moving IT operations and assets to the cloud. This attitude has recently changed, accompanied by rapid cloud adoption by many large corporations. A recent survey by analyst firm ESG has found “improved security” reported as a benefit that has been realized by 42% of organizations that already leverage cloud-based data protection services.
Gartner explains the potential key benefit of cybersecurity in the cloud: Today’s data centers support workloads that typically run in several different places—physical machines, virtual machines, containers, and private and public cloud. Cloud workload protection platforms provide a single management console and a single way to express security policy, regardless of where the workload runs.
On the other hand, Gartner warns that as the cloud environment reaches maturity, it’s becoming a security target. It’s possible that the cloud will fall victim to a tragedy of the commons wherein a shared cloud service becomes unstable and unsecure based on increased demands by companies. Companies should develop security guidelines for private and public cloud use and utilize a cloud decision model to apply rigor to cloud risks.
The promise of AI and machine learning is still just a promise
Machine learning algorithms have great potential to help with security analytics and employee productivity, but this technology is in its infancy and not well understood, says ESG. A survey of 412 cybersecurity professionals asked them to assess and characterize their knowledge of machine learning/artificial intelligence as it relates to cybersecurity analytics and operations technologies. Of the total survey population, only 30% of respondents claim to be very knowledgeable in this area. In other words, 70% of cybersecurity professionals really don’t understand where machine learning and AI fit their security portfolio.
Furthermore, cybersecurity pros were asked if their organizations have deployed or are planning to deploy machine learning/AI technologies for cybersecurity analytics and operations. Only 12% say that their organization has done so extensively. However, cybersecurity professionals see the potential of AI and machine learning to help with automating manual tasks and alleviating the skill shortage—only 6% of respondents have no plans to deploy machine learning/AI technologies for cybersecurity analytics and operations.
Becoming more knowledgeable about AI and machine learning may make cybersecurity professionals more aware not only of their potential benefits but also of their adversarial capabilities in the service of hackers. For example, Facebook researchers have developed Houdini, a new technique that could be used by hackers to trick autonomous cars into ignoring stop signs or prevent surveillance cameras from spotting a suspect. Houdini can be used to fool both voice-recognition and machine-vision systems by adding small amounts of digital noise to images and sounds that humans would not notice. Hackers could deceive such systems by determining what an algorithm is seeing or hearing when faced with a similar situation.
Sources
Cybersecurity investment rising rapidly
Cybersecurity Funding On Pace For A Record-Breaking Year
Addressing Security Analytics and Operations Issues
2017 IT Spending Intentions Survey
Transforming cybersecurity operations into strategic digital risk management
The Comprehensive Guide to Presenting Risk and Information Security to Your Board of Directors
The Pressing Need for Digital Risk Management
Cybersecurity skill shortage continues to hamper security
Cybersecurity Analytics and Operations Skills Shortage
Confront the Cybersecurity Talent Shortage
Organizations increasingly look for help in managing security
Remarkably, Many Organizations Still Opt for 'Good Enough' Cybersecurity
Increased confidence in cloud cybersecurity
Gartner Top Technologies for Security in 2017
5 Trends in Cybersecurity for 2017 and 2018
The promise of AI and machine learning is still just a promise
