Lack of skills and tight budgets weigh heavily on cybersecurity leaders
Panaseer, a specialist in security posture management powered by Continuous Controls Monitoring (CCM), has launched its report on Cybersecurity Optimisation for 2023.
The survey of more than 400 cybersecurity decision makers and practitioners across the US and UK identified nearly one-third have concerns around a lack of security skills and lack of security training budget, and more than one-quarter are worried about low security team headcount and low overall security budget.
Yet adoption of processes to ease these concerns remains slow, as more than three-quarters of respondents express concerns that approaches like vendor consolidation will negatively impact security posture, according to the report.
It is estimated there will be a skills gap of 3.5 million unfilled positions in cybersecurity by 2025 and at the same time, enterprises across the technology and cyber industries have been forced to make significant cutbacks and lay-offs in 2023.
Despite an average cybersecurity budget increase of 29% in 2023, respondents to the Panaseer survey say they need a further 40% rise to be confident in their ability to mitigate security risks. With this, more than half would spend money on hiring more security specialists, shortly followed by investment in security awareness training (50%) and upskilling security teams (44%).
Andreas Wuchner, Field CISO at Panaseer, says, “This requirement for more investment may be a result of 35% of cyber budgets not going towards improving security posture and therefore possibly being considered as wasted. The true figure could be even higher than this, and I’m doubtful that the remaining 65% is being spent on strategic risk reduction, even in large financial sector organisations.
“The worry is the impact this is having on security posture: 74% of respondents to our survey stated their ability to manage cybersecurity posture in their organisation is being negatively impacted by a lack of security resources. But the answer is not simply finding more people. Instead, we need to look at where technology can be optimised, where automation can ease workload, and where consolidation can reduce complexity and enable a single source of truth across the IT infrastructure.”
Gartner found three times as many organisations were pursuing consolidation in 2022 than were in 2020 and, according to the Panaseer survey, 86% of organizations are currently consolidating their security stack.
Anxiety is evident around the consequences of consolidation given that 35% of US respondents are very concerned, along with almost 1 in 5 (18%) in the UK. However, it seems fears don’t match reality. Only 19% of those that haven’t started the process of vendor consolidation expect it would improve their security posture, yet 42% who have begun this journey are now seeing a measurable improvement.
Further automation required to support regulation
The Panaseer report found that automation is more commonplace than consolidation in easing industry concerns: 96% automate at least one aspect of their cybersecurity.
According to Marie Wilcox, VP of Marketing at Panaseer and Board Member at the Chartered Institute of Information Security (CIISEC), “This is hugely positive given automation’s role in compliance with evolving legislation.
"Alongside more stringent mandates in the US National Cybersecurity Strategy around MFA and EDR, and proposals from the Securities and Exchange Commission (SEC) for cyber risk disclosure, the EU’s Digital Operational Resilience Act (DORA) requires that financial services organizations continuously monitor their security and IT systems and tools. To make this possible, automation will be crucial.”
In general, regulation is being welcomed by cybersecurity decision-makers and practitioners. Three quarters of respondents (74%) believe there will be a positive effect on their ability to manage security posture due to new regulations. In the US, 35% see regulation as extremely positive, compared to 12% in the UK. Yet while 82% are confident they’re able to meet deadlines for compliance, 49% still mostly or solely rely on manual, point-in-time audits.
Only 5% rely solely on continuously auditing using automation to demonstrate compliance, indicating the scale of change that needs to occur. It is possible that more budget needs to be given to enable automated processes.
Fortunately, 80% of respondents state they have an explicit budget line item for monitoring the effectiveness of security tools, which may include a CCM solution to turn data into powerful insights and replace manual processes with automation.