Senior Analyst and Group Director Doug Cahill and Senior Principal Analyst Jon Oltsik share cybersecurity takeaways from ESG's 2018 Spending Intentions Survey.
Read the related ESG Blog: Key Cybersecurity Findings from ESG’s 2018 IT Spending Intentions Research
Announcer: The following is an ESG 360.
Doug: So, we've recently completed our annual IT spending intentions survey. And one of the things we gauge in the study is the relative priority of different IT initiatives. And, Jon, once again, cybersecurity came out on top in the area in which IT spending is gonna the increase the most. But also it was the IT initiative that was the most important, most impactful for this coming year. And, you know, most notably it was, "Hey," you know, "this is the number one area where I've got to strengthen my cybersecurity processes, skills, technologies." I mean, it's not surprising it's top again, but from your perspective, what's driving this?
Jon: I don't think there's anything really new here. I think 2017, we saw the Equifax breach. 2018 we have GDPR coming. So business executives are understanding the risk and they're willing to throw money at the problem. The question is, where does that money go and do they get ROI on that money? I'd say that's still something we need to track because it's easy to buy new products. It's hard to implement those new products in an intelligent way. And that's really what we have to look for, is are people really advancing with cybersecurity or are they just treading water?
Doug: Yeah. So, speaking of GDPR, the study found that 82% of respondents, CDGPR is representing a risk for their organization. And I imagine they're worried about the penalties, right? This is a rag with some real teeth in it. And we know a lot of organizations just aren't ready yet for GDPR.
Jon: That's right. Yeah.
Jon: What I've heard from people in Europe, for instance, is that it's now like Y2K and that if you haven't really pursued your GDPR initiatives and you need help, good luck. You can't find anybody to help you. There are some real issues here. There's the requirement for incident response and disclosure. There's the ability to isolate an individual's data and be able to erase that data. And then, of course, as you said, there's the penalties. So, you have to be doing a risk assessment. You have to be putting together a strategy. Now, some of this isn't exactly new. We have standards in the past that are similar. But I think we'll see a lot of problems with GDPR in the May timeframe and then beyond.
Doug: Sure. And maybe they'll be learings there, you know, in the event that, here in the U.S, we decide to implement a similar regulation.
Jon: Boy, I hope so.
Doug: I mean, after Equifax, almost half of U.S citizen's PII got exposed, right? I mean, it just seems... It seems like we've got to go down this road at some point.
Jon: It seems like we have go down... It seems like we have to get serious with legislation. Right now, we have a Congress that's very regulatory averse or regulations averse. But one breach could change everything.
Doug: Right. You bet. So, we talked about the Equifax breach. The other incident type that remained absolutely prevalent in 2017 was ransomware. And in our IT spending intentions survey, we gauged the market. We surveyed the market on the rate at which they experienced ransomware. And the numbers were pretty startling.
Jon: Yeah. Only a third of organizations that we surveyed hadn't been hit with ransomware. And I think it was 9% were facing ransomware attacks on a daily basis. And I know that that was especially pronounced in some industries like retail, for example.
Doug: That's unbelievable. Right. Yeah. Well, I think customers still aren't upgrading their endpoint security controls. I think the endpoint security vendors, you've got to give credit where credit is due, they've done a great job in advancing their detection and prevention capabilities, specifically for ransomware. There's a lot of good solutions on the market right now. But upgrading is hard. It's non-trivial. We did an endpoint security study last year and it showed that there's a lag in terms of the period of time that organizations upgrade their antivirus/endpoint security product. They often wait for a point release. So, they sorta skip over the major and they'll wait for a point release. But given the rate at which ransomware is hitting organizations, they've really got to prioritize updating their endpoint security controls.
Jon: Yeah. I agree. But I also think that they need to look at ransomware more holistically. So there's a training component to fighting ransomware. There's a data backup and restore component. There's clearly a prevention component as well. But I think that it's really, kind of, looking at this more holistically. And then, also, there should be a policy. I mean, a lot of, as we know, a lot of organizations actually pay the ransom. Is that a good idea? What's the cut-off? How do you make that judgment in a sound business context? I don't think that's happened yet. I think that needs to happen.
Doug: Your point about training is key, right? Because the human gullibility is often the vulnerability that gets exploited here, as we well know. And there's some endpoint security products, to go back to that thread, that are integrating awareness training into the product. So, hey, if you're a knowledge worker and you click on something you shouldn't have clicked on, gone to a website you shouldn't have gone to, and in fact, that triggers an infection, you get rerouted to a learning exercise to remind you of best practices when it comes to computing.
Jon: Yeah. And I haven't done a lot of research in that area, but from what I've seen, those programs are effective. So, I think that needs to be more widespread.
Doug: Yeah. That's encouraging. That integration of awareness training into products for the end-user is definitely a positive step forward.
Jon: Yeah, I think so too. And let's talk overall. So, 53% of organizations are increasing their IT spending. But 63% are increasing their cybersecurity spending. So, clearly, cybersecurity is, as we've said, a big issue. What are the areas they're spending the money on, Doug?
Doug: You bet. So, given the broad adoption of cloud services, both infrastructure, and SaaS apps, if you roll those two together, i.e, things like CASBs and cloud infrastructure security, that's the number one area of incremental spend. And then we have network security. Data security jumped a couple of spots this year. I think that's also sort of borne out of the, you know, broad use of cloud services, more data is going northbound to the cloud, it's giving a resurgence to things like data loss prevention, cloud DLPs, specifically, and endpoint security. Analytics, as well, is right at the top of the heap. So there's a lot of areas there where organizations are increasing cybersecurity spend, but cloud is a big driver there.
Jon: Yeah. It goes back to... I'm reminded of a conversation I had with a CISO a few years ago who said when you go to cloud, you look some control. So, you have to gain control in other areas. And the two areas he mentioned were data security and identity and access management.
Doug: Oh, right.
Jon: And I think this bears it out. And I think cloud is going to pull dollars from other areas. It will pull dollars from host-based security. It will pull dollars from network security. So, I think that's something we'll keep an eye on in 2018.
Doug: Cybersecurity is currently funded but, as we know, because of the skillset shortage issue, it's often not resourced. What did the research tell us this year about a ongoing shortage of cybersecurity skills?
Jon: Well, things aren't improving at all. In 2016, 46% of organizations said they had a problematic shortage of cybersecurity skills. Almost the same in 2017. It was 45. It's up to 55% this year. Things don't appear to be getting any better, which means that you won't be able to recruit people, which means that in specialized areas like cloud security, good luck. Good luck finding someone with cloud computing skills and security skills. So, what do you do? Well, there are three things we see people doing. One is that they're consolidating their technologies, building an architecture, which we call "SOAPA," Security Operations and Analytics Platform Architecture. The second thing that they're doing is they're adopting more advanced analytics, artificial intelligence, which really helps their analysts deal with things. And the third thing is that they're adopting more technologies for security automation and orchestration. So, let's automate manual processes.
Doug: You bet. So automation and unifying separate teams, separate controls to get greater efficiencies.
Jon: Yeah. And you just saw that with your cloud computing security research where, today, people have different groups, they're working on different projects, but the trend is toward consolidation, correct?
Doug: Absolutely. Yeah. And organizations today are using separate controls for separate environments, but they very much want to flip that on it's head and unify that moving forward.
Jon: Yeah. And we're fighting culture a little bit here because the culture of security was best of breed. "I have a specialist on this particular area." That doesn't scale. And we really have to think about scale and consistency and return on investment, and all the kinds of things we think of in a business context.
Doug: You bet. So, we're gonna go deeper into a lot of these topics in 2018. We've got a bunch of research projects in the queue around things like cloud data security, additional analytics study. So these are big takeaways from our annual IT spending intentions survey. But stay tuned for more details from ESG Research this year.