The age-old problem of misaligned security budgets and staffing continues, but they may not be the answer to solving the most pressing security issues.
Why aren’t security budgets and staffing keeping up with the increase in both numbers and sophistication of threats? Why are companies struggling to turn the technology into solutions? The consensus is that this issue comes down to getting the right people on the job to address security concerns.
Not just dollars and bodies
Yes, the industry knows there is a staffing shortage that has been building for a while and isn’t going to disappear magically no matter how much security budget is tossed at it, said Steve Durbin, Managing Director of the Information Security Forum. The industry also knows that threats continue to evolve and emerge as our dependence on technology increases and the capabilities of threat actors increase, placing a burden on users of the technology and information, as well as on security and IT departments.
However, he added, this is not an issue solely of dollars and bodies. It is more fundamental than that.
“Every business leader will tell you that they could do more with an increased budget, so what makes security so special? Well, for one, demonstrating a return on security investment is a tricky business,” he said. “There are no certainties in security other than an attack will come—we just don’t know when and we don’t know where. For another, security is still far too often, far too remote from understanding the corporate budget game.”
“We often talk about needing to align security with the business,” said Durbin. “If you do nothing else, do just that: Ensure your security programs are linked to business initiatives that are positive for the enterprise and support the business objectives, risk appetite and strategic goals.”