26 Feb Spending, Headcount and Optimism: 6 Significant Takeaways from the State of IT Security Survey by eSecurity Planet
In 2019, most organizations will invest more in IT security, have plans to hire more staff, and generally think they are reasonably prepared to address security threats.
That’s according to a new survey – the 2019 State of IT Security – conducted by the trade publication eSecurity Planet. The survey of readers was conducted in January and garnered responses from professionals who hold job titles ranging “from security engineers up to CIOs and CEOs.”
Despite the pace of data breaches, which creates a sense of “disillusionment” in cybersecurity, “the 2019 State of IT Security survey paints an optimistic picture,” according to Sean Michael Kerner, a senior security editor. The survey shows many businesses are being more proactive about cybersecurity, “instead of waiting for the next breach to occur.”
6 Significant Takeaways from the State of IT Security Survey
We’ve reviewed all the coverage we could find examining the survey and have highlighted the findings that stood for us below.
1) Security spending to grow this year.
A majority, 54% of respondents said their organizations plan to boost security spending in 2019, though some will invest more than others. About one third (30%) said their company would boost spending by 10-20% or more.
“The results point to robust demand for security products, as companies try to counter increasingly sophisticated attacks and protect data from breaches that could lead to steep fines,” wrote Paul Shread, editor of eSecurity Planet.
Network level tools were found on the list of spending priorities:
“Network access control (NAC), web gateways and data loss prevention (DLP) are the top IT security spending priorities, revealing a need for security teams to balance external and internal threats.”
And also amongst the tools in which security has the most confidence:
“NAC topped the list of security technologies that users have the most confidence in, with 25.6 percent saying they trust NAC. DNS filtering came in second at 24.8 percent, while NGFW [next generation firewall] and IDPS [intrusion detection and prevention systems] scored 17.4 and 15.7 percent, respectively.”
2) Security staff headcount will grow too.
Some of that investment may go towards human resources. Most respondents (57%) indicated their organization aimed to hire more staff in 2019. Indeed, in our own survey of network security professionals published in January, a plea to boost staffing was apparent in the open-ended comments.
It may be a case of easier said than done, however. The publication pointed out in a piece on the security employment outlook, there remains a talent shortage of 500,000 security professionals in North America – and roughly 3 million globally.
Among the titles expected to be most in demand are:
- Network security engineer;
- Security engineer; and
- Application security engineer.
3) Not all organizations are equally prepared.
While the overall survey found some 66% of respondents feel they are “well prepared for security threats” there were differences when examining the responses by the size of the organization. Generally, the larger the company, the more confident respondents were in their security posture, while smaller companies felt less prepared. Businesses in regulated markets such as healthcare and financial services were “far more likely to report strong security and compliance preparedness.”
4) Vulnerability patching remains a concern.
“One of the most commonly cited root causes of data breaches in recent years has been unpatched vulnerabilities,” wrote Mr. Kerner. “It was an unpatched software component that led to the massive Equifax data breach, for example.”
Yet security pros have varying levels of confidence in the tool they use to manage patches:
“Across organizations of all sizes, 19 percent ranked patch management as a technology they are confident in, with 11.6 percent saying they lack confidence in patch management. Additionally, 13.2 percent said their organizations need more education and training when it comes to patch management.”
Other studies have shown that in 2018, it took organizations an average of 38 days to patch a vulnerability, and even the most critical took 34 days. Patching isn’t a tool, it’s part of the overall change process that is helped along significantly by cultivating a good working relationship between security and DevOps.
In our survey, respondents were nearly evenly divided into three camps as to the state of the relationship between security and DevOps. About one-third (34%) said it was strong; about one-third (27%) said it was weak; and about one-third (35%) were on the fence, indicating the relationship is neither strong nor weak.
It’s worth pointing out, patching isn’t the only answer either. For example, a Snort rule was available for the vulnerability that hit Equifax about a day after the exploit was announced. Those rules could have been implemented to detect malicious activity even as a patch worked its way through the change management process.
5) Greatest doubt: defending against APTs.
The survey asked respondents how well they thought their organization was prepared to defend against specific threats. Respondents expressed the most concern, or “doubt” about their organization’s ability to defend against the following:
- 38% said advanced persistent threats (APTs)
- 34% said insider threats
- 32% said DDoS attacks
- 30% said ransomware
- 27% said SQL injections
“Advanced persistent threats (APTs) are one of the most damaging cyberattacks, with attackers residing within an organization’s network for some time searching for high-value targets such as sensitive data stores and trade secrets,” wrote Mr. Kerner in an analysis of the study.
Challenges like “IT infrastructure complexity” and “lack of tool interoperability” are contributing factors to the lack of visibly network security professionals have on any given network. In turn, this is a factor among those threats that dwell undetected, which 2018 lasted for an average of 38 days.
There is, “an emerging gulf between companies ready to meet the growing perimeter and insider threats to their security and those that aren’t,” wrote Chris J. Preimesberger, the editor-in-chief for eWeek, about the study. “Nearly one-third of companies are still inadequately prepared.”
6) Threat hunting adoption is slow but steady.
One proactive step a security team can take is threat hunting – the process of seeking out threats that may have evaded detection. The eSecurity Planet survey puts the adoption of both concepts in the vicinity of about 40% to 50%.
More specifically, it noted:
“Larger organizations were also more actively engaged in threat hunting, with 51 percent engaged in threat hunting once a year or more frequently. That number drops to 40 percent for organizations of 100 employees or fewer.”
This is largely in-line with other surveys aimed at benchmarking threat hunting adoption, that suggest the process is growing on security organizations, slowly but steadily. For example, the 2018 Threat Hunting Report by Cybersecurity Insiders found about 40% of cybersecurity organizations say they conduct threat hunting presently. That was a small tick up from 5% from the same survey conducted the previous year. However, some 60% of respondents said they had plans to build out threat hunting programs over the next three years.
If you’re thinking about getting started, we hosted a two-part webinar series with one of the most prominent experts on threat hunting. You can find summaries of both webinars, along with links to the recordings here:
- Here’s What Network Threat Hunting Means, Why It Matters, and How to Get Started
- 7 Simple but Effective Threat Hunting Tips from a Veteran Threat Hunter
The publication unveiled the results in a series of articles in January and February on its news site – and also on it’s the website of its sister publication eWeek. Links to these articles are as follows:
- eSecurity Planet: 2019 IT Security Employment Outlook: The Hottest Skills and Markets
- eSecurity Planet: Over Half of Companies Are Upping Spending on IT Security
- eSecurity Planet: A third of companies are largely unprepared for cybersecurity attacks
- eSecurity Planet: Cybersecurity Simulation Tools Don’t Inspire Confidence
- eWeek: eSecurityPlanet Research Shows Gaps in Security Spending, Hiring
If you enjoyed this post, you might also like:
It is everyone’s business and responsibility” – 40+ Cybersecurity Professionals Share What They Wish Business Leaders Would Understand in Their Own Words