IT security budgets are failing to keep up with rising security threats, a survey of information security professionals shows.
A lack of resources is the biggest challenge, according to 45% of respondents to the latest annual survey by the Chartered Institute of Information Security, the independent not-for-profit organisation responsible for promoting professionalism and skills in the IT profession.
Formerly the Institute of Information Security Professionals (IISP), the organisation achieved Royal Charter status in July 2019, becoming the only chartered institute focused solely on cyber security.
After a lack of resources, respondents cited a lack of experience as their top challenge (37%), followed by a lack of skills (31%).
Ultimately, security professionals feel their budgets are not giving them what they need, the survey report said, with only 11% saying security budgets were rising in line with, or ahead of, the cyber security threat level, while the majority (52%) said budgets were rising, but not fast enough.
Asked about the source of cyber security threats, 75% said people are the biggest challenge they face in cyber security, followed by processes (12%) and technology (13%). This may explain the need for more resources even as budgets increase, the report said, noting that the people issue is a far more complex one to deal with.
Yet at the same time, the report said there are signs of improvement, with more than 60% of IT professionals saying that the profession is getting better – or much better – at dealing with security incidents when they occur, and only 7% saying the profession is getting worse.
Conversely, less than half (48%) of respondents felt the industry is getting better at defending systems from attack and protecting data, with 14% saying the profession is getting worse. This suggests an ongoing move in the industry, the report said, from focusing on prevention, to an all-encompassing approach to security.
“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO of the Chartered Institute of Information Security.
“As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat, otherwise they will inevitably have to make compromises.”
Asked to identify the worst or most notable security events or breaches of the past year, more than one third of respondents pointed to Facebook, both for its own breaches and for its relationship with Cambridge Analytica. British Airways was second, with almost a quarter of responses.
All the incidents highlighted by the most respondents were as notable for the aftermath of the breach as for the breach itself, the report said.
The innovation predicted to have the greatest effect on security in general was artificial intelligence (AI) and machine learning technology, suggesting this is an area for organisations and individuals to target their skills development, the report said.
The focus on a lack of resources, experience and skills, the report said, suggests that IT security teams are feeling the effect of the IT skills shortage, but noted that this is also an opportunity for individuals.
The majority of IT security professionals surveyed believe this is a good time to join the profession, with 86% saying the industry will grow over the next three years and 13% predicting it will “boom”.
There is also an opportunity and need, the report said, for women in the industry, with the majority of respondents (89%) identified as male, and just 9% as female.
More than 37% said they have better prospects than a year ago, and the factors attracting people to take security jobs are the same as then – remuneration, followed by scope for progression and variety of work.
Insufficient money or a lack of opportunity also cause people to leave security positions, the survey shows, yet the top factor causing people to leave their jobs is bad or ineffectual management.
“In the middle of a skills shortage, organisations need to treat their workers carefully. Losing them through a lack of investment, through failing to help develop skills, or simple poor management, cannot be allowed,” said Finch.
“At the same time, they cannot simply hire anyone to fill the skills gap because bringing the wrong person into a role can be a greater risk than an empty seat.
“Instead, organisations must understand what roles they need to fill, what skills those roles demand and what skills applicants have. Armed with this, businesses can fill roles and support workers throughout their careers with the development, opportunities and training they need.
“This doesn’t only mean developing technical skills, but the social, organisational and strategic skills that are essential to put security at the heart of the business,” she said.
Read more about the cyber security skills shortage
- The government has announced a second phase of research to help understand the UK's cyber security labour market to inform government policy.
- The cyber skills shortage is leaving businesses at increased risk of attack as organisations continue to struggle to fill security-related positions, a survey shows
- CNI sector lacks cyber security skills, government warned.
- Skills shortage a major cyber security risk.