Companies will spend marginally more money on technology and staff to defend their IT systems and data in 2015, but they continue to have problems hiring knowledgeable security professionals, according to a survey conducted by business-services firm Ernst & Young.
About 52 percent of the more than 1,800 organizations surveyed expect security budgets to increase, compared to 43 percent whose budgets will remain unchanged. More than half of firms identified the lack of skilled professionals as a major reason for their inability to bolster system security, according to the survey.
"Good resources are scarce and you have to find new ways to provide needed security services," Chip Tsantes, chief technology officer of the cyber-security practice at Ernst & Young, told eWEEK. “You have to be more creative to find the skills that you need.”
The lack of information-security professionals has been a common theme over the past five years. More recently, government hiring and the increase in the number of devices added to networks requiring security support has led to a continue shortfall in skilled security people, which Cisco estimates at 1 million workers worldwide.
The lack of adequate staff undermines a variety of security efforts, according to the survey. About a third of companies do not have the capability to assess threats in real-time; only 13 percent of firms believe they are meeting their information-security needs; and between a third and 45 percent of organizations gave themselves poor grades in a variety of cyber-security areas.
Companies without adequate staff need to prioritize efforts and focus on technologies and processes that give them better visibility into threats and their current risks, Tsantes said.
"You can't monitor everything, and that means you must make sure that you are focused on the most critical assets," he said. "Security teams need to direct the business to protect those assets and focus their efforts."
As in past years, companies flagged employees as the most likely source of threats to their information, but this year businesses identified a variety of external threats—such as criminal syndicates and hacktivists—as the most probable threats.
The survey found that 57 percent of respondents identified employees as a threat source, but criminals (53%), hacktivists (46%) and lone-wolf hackers (41%) were all deemed more likely a threat than the next highest internal actor, contractors.
To develop employees into a security asset rather than a vulnerability to be exploited, companies frequently train and focus on education. However, businesses should also track their employees' security awareness, according to the report.
While 55 percent of companies do not rate their employees' security knowledge on performance evaluations, establishing workers as a potential line of defense should be priority for companies.
"If employees understood that their own job security was under threat because the security of the organization was under threat, and that cyber-security was a performance metric, this could encourage a permanent change in awareness and behavior," the Ernst & Young report concluded.