Even though awareness around the risks posed to businesses from cyberthreats is growing, spending to increase cybersecurity in the private sector is lagging.
According to a new report and survey from the Institute of Information Security Professionals, current spending is not enough to implement the technology, compliance programs and staff awareness training necessary to abate cyberthreats. The ISSP determined its findings by examining the security budgets allocated at private companies across multiple global sectors, as well as how these budgets have changed following well-documented and widely publicized incidences of cyberattack.
The report found two-thirds of the companies surveyed increased their cybersecurity spending following data breaches such as those seen at businesses including Target and Anthem. However, the report concluded that even businesses that are increasing their investment are not doing so at a level that matches the growing risks they face. These include threats related to external attacks, insider misuse, low staff awareness and technical device and service proliferation.
"Increased spending is vital for attracting and retaining IT professional with adequate knowledge and experience."
Increased spending is especially vital for attracting and retaining professionals with adequate knowledge and experience to oversee successful internal cybersecurity operations, the report found. A widespread shortage of skilled staff was reported, both in terms of number of employees and employees with adequate expertise. Reasons for this included increased competition to attract these professionals, meaning retention is becoming more costly for companies. However, internal factors, including lengthy hiring processes, are also making it more difficult for businesses to recruit and retain talented cybersecurity staffers.
The report concluded there is a "growing problem" in the private sector relating to the increased frequency, variety and sources of cyberattack. Additionally, there is greater reliance on increasingly complex IT systems, often without the security staff and regulatory environment needed to maintain these systems or create a culture of cyber awareness among non-IT employees.
While the report found awareness of cyberthreats has increased, without adequate spending many companies may be experiencing a false sense of security.
Public sector spending goes up but problems remain
Meanwhile, as TechTarget reported, cybersecurity spending in the public sector saw an increase as President Barack Obama included a $19 billion cybersecurity spending bump in his fiscal year 2017 budget. However, as TechTarget contributor Adam Rice argued, spending alone is not enough to implement effective cyberrisk management.
Just as experts in the private sector argue for the integration of cybersecurity awareness into all departments of a company, Rice noted the federal government will need to work to unify its currently decentralized IT departments.
"Many federal departments are comparable to Fortune 500 companies in terms of size and scale," Rice wrote. "They have thousands of employees and millions in their IT budgets."
In addition to increasing compliance with The Federal Information Security Management Act best practices, federal agencies, like private sector businesses, will need to work on increasing interdepartmental communication and matching market-driven compensation in order to attract the most qualified professionals.