{"id":454,"date":"2024-09-30T10:01:00","date_gmt":"2024-09-30T10:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=454"},"modified":"2024-09-30T10:01:00","modified_gmt":"2024-09-30T10:01:00","slug":"security-spending-signals-major-role-change-for-cisos-and-their-teams","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=454","title":{"rendered":"Security spending signals major role change for CISOs and their teams"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Enterprises are increasingly spending more on security software and services than they are on staff, a radical shift in security budgeting that will transform the role of the CISO at many organizations, as well as the roles of remaining in-house staff.<\/p>\n

Gartner predicts a 15% growth in security spending next year<\/a> on software and services, partly fueled by adoption of AI technologies, from $184 billion this year to $212 billion by the end of 2025.<\/p>\n

Security software markets such as application security, data security and privacy, and infrastructure protection will all grow substantially, while spending on cloud-native security products will take off, growing from $6.7 billion in 2024 to $8.7 billion in 2025.<\/p>\n

At the same time, security services spending is expected to increase 15.8% to $86.1 billion. Security consulting services, security professional services, and managed security services are predicted to grow faster than the other security segments \u2014 an expansion driven by the long-standing global cybersecurity skills shortage<\/a> as much as anything else, according to Gartner.<\/p>\n

All this despite enterprise security budgets experiencing moderate increases of around 8%<\/a>, with a third of CISOs reporting flat budgets or budgets in decline.<\/p>\n

The end result? An evolving remit for CISOs and their teams, with a focus on strategic planning and integration over traditional day-to-day security tactics.<\/p>\n

Cybersecurity workforce growth stalls<\/h2>\n

Among the key signals of changes ahead is the seeming deprecation of budgeting for in-house security staff.<\/p>\n

The extent of the cybersecurity skills shortage was laid bare in preliminary findings from ISC2\u2019s latest annual Cybersecurity Workforce Study<\/a>. According to the cybersecurity professional certification organization, the global active cyber workforce has barely increased in the past 12 months, growing just 0.1% to reach 5.5 million worldwide even though the skills gap (like national budget deficits) rose 19% year on year to reach 4.8 million globally.<\/p>\n

Two in five (39%) of the 16,000 cybersecurity professionals surveyed by ISC2 said a lack of budget was the top reason for cyber shortages, replacing the shortage of talent rationale commonplace in previous editions of the workforce study.<\/p>\n

A quarter of respondents (25%) have observed layoffs (up 3% from 2023) and over a third (37%) have reported budget cuts (up 7% from 2023).<\/p>\n

Hiring freezes and fewer promotions are becoming more commonplace despite the forecasted increase in security spending on software and services and the all-too-obvious imperative for CISOs to bolster cyber resilience<\/a> in multiple sectors of the economy.<\/p>\n

Shifting budget away from addressing skills shortage has practical effects. The latest edition of IBM\u2019s annual Cost of a Data Breach Report<\/a> found that more than half of all breached organizations are facing high levels of security staffing shortages.<\/p>\n

Caught between a rock and a hard place, organizations are turning to managed services and external consultants to fill in the gaps, with third-party hacks and regulations on the rise, even as staffing levels stay the same \u2014 or worse, decrease.<\/p>\n

One way to solve the budgeting portion of the equation, apparently, is to get hacked. A recent study from IANS Research and Artico Search<\/a> found that security budgets tend to see the highest increase only after a breach or when there\u2019s a big change in an organization\u2019s risk appetite \u2014 evidence that enterprises are being reactive rather than proactive in their approach to cybersecurity funding.<\/p>\n

Says Panayot Kalinov, former deputy head of IT turned senior software developer at Casinoreviews.net: \u201cThis puts CISOs in a tricky spot \u2014 how do you justify asking for more money or resources when nothing\u2019s on fire yet?\u201d<\/p>\n

CISOs to shift to risk management and security orchestration<\/h2>\n

\u201cExpected to do more with less,\u201d CISOs are shifting their focus, Kalinov adds. \u201cInstead of beefing up their internal teams, they\u2019re focusing on risk management, regulatory compliance, and keeping C-suite executives aware of the evolving security landscape,\u201d Kalinov says.<\/p>\n

James Neilson, SVP of international sales at cybersecurity vendor OPSWAT, believes the increasing allocation of security budgets toward software and services rather than staff reflects the CISO\u2019s evolving role from managing internal teams toward becoming a more strategic, technology-driven leader.<\/p>\n

\u201cThis trend also indicates that they\u2019re taking on a more prominent role in risk management, ensuring that outsourced services complement internal capabilities while maintaining agility in response to evolving threats,\u201d Neilson says.<\/p>\n

As a result, security organizations are also undergoing a shift from traditionally siloed, in-house approaches toward a more integrated, outsourced, and technology-driven model, Neilson argues. This may mean hiring fewer but more specialized in-house professionals, including roles that oversee vendor management<\/a> and strategy, as well as product integration, automation, and management, he says.<\/p>\n

\u201cOrganizations increasingly rely on elements of external managed services and advanced automation tools to manage cybersecurity, focusing internal resources on understanding the business and its risks, defining higher-level strategy, oversight, and risk management,\u201d Neilson contends.<\/p>\n

AI changes the SOC game<\/h2>\n

That last bit about relying on advanced automation tools brings AI into the equation, as increased spending on software and services likely includes more money allotted to AI capabilities vendors are baking into their wares.<\/p>\n

But AI is a doubled-edged sword that cuts both ways \u2014 enabling enterprises to automate many security-related tasks while empowering threat actors to develop more convincing phishing scams<\/a> and to rapidly scale up their attacks<\/a>. And that\u2019s not to mention the rising need to defend enterprise AI systems<\/a>, which, in a rush to implement, many companies are failing to harden<\/a>.<\/p>\n

Here, the cybersecurity shortage isn\u2019t helping, says Aaron Rosenmund, senior director of content security and curriculum at online learning platform Pluralsight.<\/p>\n

Rosenmund tells CSO: \u201cThe shortage of cybersecurity professionals is a well-known issue, with 71% of organizations having unfilled cybersecurity positions. This shortage leaves security teams understaffed and burned out, a problem exacerbated by the rise of AI.\u201d<\/p>\n

All told, AI is bringing several factors to bear on cyber teams, and CISOs\u2019 strategies need to evolve to address them.<\/p>\n

\u201c[CISOs should] focus on upskilling your cybersecurity team in AI-based defense strategies, and leveraging AI to reduce the burden of their job will be beneficial,\u201d Rosenmund argues. \u201cTasks like inbound message filtering, summarizing incident reports, process automation, and filtering bug bounty challenges can all be automated.\u201d<\/p>\n

Rosenmund continues: \u201cSupporting employees with resources to stay informed on the way threat actors use AI and upskill on knowledge gaps will make for a more engaged and better-equipped team ready to defend against criminals.\u201d<\/p>\n

Shifting roles, hybrid orchestration<\/h2>\n

These collective changes mean that the role of the CISO in many organizations is shifting from a leader who builds and runs internal teams to more of an orchestrator who oversees and integrates the work of external vendors and service providers in conjunction with in-house staff.<\/p>\n

By adopting a more hybrid approach \u2014 combining internal teams with external services \u2014 organizations can still successfully chart a path toward enhanced resilience and agility, assuming CISOs can get that orchestration right.<\/p>\n

\u201cIn essence, the role of the CISO is becoming more strategic and collaborative,\u201d says Jamie Beckland, CPO at security testing vendor APIContext. \u201cCISOs must focus up and out \u2014 on contextualizing risk more effectively to their boards; and on maintaining strong relationships with partners and key suppliers.\u201d<\/p>\n

The continued shift toward software, services, and automation also means that internal staff can shift their focus to \u201chigher-value tasks\u201d, according to Martin Greenfield, chief exec of cybersecurity controls monitoring firm Quod Orbis.<\/p>\n

\u201cAs organizations invest in AI-driven solutions and managed services, cybersecurity teams are liberated from mundane, repetitive tasks such as control testing, evidence gathering, and policy writing,\u201d Greenfield tells CSO. \u201cThis strategic pivot allows CISOs to focus their teams on leveraging insights derived from automated systems, fostering a more proactive and data-driven approach to security.\u201d<\/p>\n

The long-term outlook on cyber staffing<\/h2>\n

Still, the shift away from in-house security work may have long-term impacts, Kalinov argues.<\/p>\n

\u201cIn the long run, this approach raises some big questions about the future of cybersecurity careers,\u201d Kalinov says. \u201cIf more money is funnelled into software and managed services, what happens to the talent pipeline?\u201d<\/p>\n

Kalinov adds: \u201cCompanies are investing in tech and external services to patch the gaps, but they can\u2019t ignore the need for skilled staff.\u201d<\/p>\n

Beckland, however, argues that the increased reliance on managed services and security software doesn\u2019t detract from the importance of in-house security professionals.<\/p>\n

\u201cWith the shortage of qualified professionals, organizations find it more feasible to invest in external solutions that can be rapidly deployed and scaled,\u201d according to Beckland. \u201cThis doesn\u2019t diminish the importance of in-house teams but reshapes their focus towards oversight, strategic planning, and integration of these services into the organization\u2019s broader security posture.\u201d<\/p>\n

Rick Holland, field CISO at threat intelligence firm ReliaQuest, agrees that outsourcing \u201cmonotonous, time-consuming tasks\u201d can benefit in-house security staff, whose time is freed up to take on more engaging work.<\/p>\n

\u201cInstead of a \u2018defence in depth\u2019 strategy, many organizations have adopted an \u2018expense in depth\u2019 approach, where multiple controls overlap existing capabilities and remain partially implemented,\u201d according to Holland.<\/p>\n

Concurrently, Holland argues that resource and staffing constraints often lead to inefficient strategies, which only accelerate the need for enlisting outside help.<\/p>\n

\u201cSecurity teams, overwhelmed by daily threats, struggle to fully leverage their software,\u201d Holland says. \u201cThese challenges are driving the demand for security services.\u201d<\/p>\n

CISOs at a crossroads<\/h2>\n

In the end, CISOs find themselves at a difficult crossroads.<\/p>\n

\u201cBuilding all of your own capabilities and expertise internally won\u2019t scale for most businesses,\u201d Marshall Erwin, CISO at Fastly, tells CSO. \u201cAt the same time, if a CISO relies too much on third parties, they will find they don\u2019t have the security expertise needed to address the most critical incidents or challenges.\u201d<\/p>\n

Erwin advises CISOs to consider what expertise they need internally based on their specific risk profiles and appetites, and what capabilities and services they can rely on externally without putting their organizations at greater risk.<\/p>\n

All in all, the changes underscore a role evolution for CISOs in which they must align security with business objectives while still keeping a pulse on day-to-day operations.<\/p>\n

But they won\u2019t be going it alone. Finding the right partners may be more important than ever.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Enterprises are increasingly spending more on security software and services than they are on staff, a radical shift in security budgeting that will transform the role of the CISO at many organizations, as well as the roles of remaining in-house staff. Gartner predicts a 15% growth in security spending next year on software and services, […]<\/p>\n","protected":false},"author":0,"featured_media":442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/454"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=454"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/454\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/442"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}