And when it comes to security budget spending, at least in the next few years, it would be wise to invest in people while organizations still can find those who are qualified. According to a just-released study from IT certifications provider (ISC)2, about 2.25 million information security professionals were working worldwide last year. That figure is expected to leap to 4.25 million in two years. And (ISC)2 expects that there could be a 47% shortage of security professionals qualified to fill those positions.
Our own "State of the CSO" in 2013 found that this demand for skilled IT security professionals is already straining organizations' ability to attract top security talent. It is the larger companies that are most likely to increase their security resources, with 42 percent planning staffing increases, compared to 37 percent of midsize and 26 percent of small organizations. In fact, finding and retaining skilled IT security workers was identified among the greatest challenges for 31 percent of large companies.
Out with the old
Another way to maximize security budget is to make certain the budget is as aligned with current security demands and applications as is possible. "We see a lot of security shelfware out there," says Javvad Malik, security analyst at The 451 Group. "In a recent survey we conducted, not a single respondent said that they have a process in place to actually decommission old IT security products."
Predictably, what ends up happening, year after year, is these enterprises acquire new security applications but don't decommission those in place, even though they're not in productive use. "They're scared that it might impact something, or fear it's too embedded into their processes even though they're not getting any value out of the application. They end up with all of this bloat that's just hanging around and costing them money," he says. While it may sound obvious, it's something many enterprises aren't doing: cull all of those security appliances and software apps that can be decommissioned.
Avoid the shiny
Andy Ellis, chief security officer at Akamai Technologies, says it's unfortunately all-too common for enterprises to buy security equipment that they don't have the expertise on staff to maintain, or they fail to set aside training budget. Before buying that SIEM, web application firewall, or malware forensics analysis software, Ellis has a set of questions that he says need to be answered.
- Did you have people who knew how to use the system?
- Were they able to apply themselves to installing, using, and maintaining, the system?
- Did the system actually have effect?
While a negative answer would indicate an ill-thought purchase, an affirmative answer doesn't mean that the budget was wisely deployed. "At least you didn't just throw it away, but if you can't say "yes" to all three of those questions, then you've wasted your money. How many SIEMs are out there that don't actually do anything because there are no operators to tune them," Ellis says.