Security spending up, but adoption of cutting-edge tools is slow

While security budgets are expected to increase over the next year, it’s not clear that spending is aimed at the right problems or that IT is up-to-date on the latest security practices. (Download our research report.)

budget piggy bank spending savings security spending
Getty Images

Security spending is expected to increase over the next 12 months at fully half of organizations, but questions linger as to whether that money is being targeted at the right problem and whether IT organizations are keeping up with latest techniques and countermeasures.

That’s the key takeaway from the IDG Security Priorities Study 2019, which surveyed 528 security-focused professionals worldwide who are involved in IT and security decisions in their organizations.

security priorities study IDG

Log in or subscribe to Insider Pro to download this research report. 

It’s clearly a positive sign when 50 percent of respondents say their security budgets are expected to increase, 46 percent expect their budgets to remain flat and only 4 percent anticipate a decrease. One interesting trend is that the mix of spending seems to be shifting from capital expenditures to operational expenses as companies increasingly turn to “as-a-service” options for security tools.

But it is somewhat troubling that in the face of an increasingly dynamic threatscape and all of the well-publicized data breaches, survey respondents said that the biggest factors that determine the priority of security spending at their organizations are implementing rigid best practices frameworks and checking off compliance mandates.

download icon insider pro green Vectorios2016 / Getty Images

Click to download the report.

Addressing actual security breaches that occurred at the company or security incidents that happened to business partners was well down on the spending priority list. Survey respondents noted that having to focus on compliance mandates distracted them from executing more strategic security plans. “No matter how many times security pros say ‘compliance isn’t security,’ there are auditors and regulators who think it is,” said Peter Lindstrom, vice-president of security strategies at IDC.

Who’s in charge of security?

More than two-thirds of organizations have a Chief Security Officer (CSO), Chief Information Security Officer (CISO) or other designed security leader, but 31 percent of organizations lack a designated security executive. Of those leaders, 31% report to the CIO, while 29 percent report to either the CEO or Board of Directors.

Breakout data indicates that large enterprises are more likely to have a top security executive than small or midmarket companies.

Traditionally, turnover has been high at the CISO level, which has often been attributed to the stress and difficulty of the job or, even worse, to the consequences of suffering a data breach. But the survey uncovered another factor that contributes to high turnover, the fact that security leaders are a hot commodity. Nearly one-fourth of respondents said they have been recruited for other security jobs a whopping six times or more during the past year.

Tools of the trade

In the security world, a certain set of familiar technologies have achieved widespread adoption, such as anti-virus, malware protection, firewalls, endpoint protection and patch management. But threats are constantly evolving and simply buying more of the same tools isn’t enough to stay ahead of the attackers. Not only do companies need to deploy the latest tools, they need to re-think security processes and security-related organizational structures, said Lindstrom.

For example, when asked to list where their security programs fall short, many respondents pointed to the difficulty in applying security during the application development process. Other process-centric issues that were identified include inadequate training and employee awareness, lack of involvement by security teams prior to the implementation of new technologies, lack of a proactive strategy, and inadequate communication with lines of business.

Those process issues certainly need to be addressed, but technology portfolios need updates as well. “Just doing the basics in cybersecurity hit diminishing marginal returns years ago,” said Lindstrom. “We need to move on to newer methods like deception and resilience to protect enterprises.”

Unfortunately, the survey showed mixed uptake for some of the emerging tools and approaches that could be considered a departure from security-as-usual, such as zero trust, DevSecOps, deception technologies and big data analytics.

For example, zero trust is a new approach to security that does away with the distinctions between trusted and untrusted employees based on factors like role or location. In the zero trust model, everyone is considered untrusted by default and must go through strict authentication and access control procedures.

In the survey, the No. 1 technology being researched was zero trust at 47%, which shows that security pros have it on their radar screens. But only 8% reported active pilots and only 11 percent of respondents said they had some type of zero trust model in actual production.

Similarly, deception technology came in second, with 40% of respondents showing interest. But again, deployment is only around 10 percent and a full 38 percent of respondents said they’re not interested in the technology at all.

Other security technologies that scored high on the list include behavior monitoring and analysis, cloud data protection, cloud-based security services and cloud access security brokers. On the other hand, interest in blockchain technology actually dropped from 58 percent last year to 50 percent this year.

Log in for subscribe to download survey results.

IDG Security Priorities Study