The cybersecurity threats against organizations in the UK are outpacing budget increases, according to The Institute of Information Security Professionals (IISP). The UK industry group said that organizations’ defensive capabilities and breach responses are improving overall, but the progress is not universal.
The IISP surveyed its members, and compiled over 260 responses into the “Security market trends and predictions” (PDF) report. It shows that 42 percent of UK security professionals believe the industry is improving its defense of systems, and a further 46 percent see neither progress nor regression. Hardly any see drastic change, while 9 percent believe systems protection has gotten worse.
Two-thirds of cybersecurity budgets are rising, which fits with other recent research on cybersecurity spending, and only 12 percent are falling, according to the survey. The IISP took budget change information and compared it to threat landscape information, and found that three out of five budgets were rising behind the threat-level, as opposed to a mere 7 percent increasing ahead of it.
“In times of financial pressure or instability as we have seen in recent years, security is often seen as a supporting function or an overhead,” said Piers Wilson, Director at IISP. “Security budgets are hard won because they are about protection against future issues, so are a good indication of the state of risk awareness in the wider business community. While it is good news that businesses are increasing investment, it is clear that spending on security is still not at a level that matches the changing threat landscape.”
A lack of resources and experience are the most common challenges for IISP members, ahead of a lack of skills and new entrants. However, roughly one in four report challenges from more than one of these shortfalls, and another one in four report problems with all four areas.
The report authors note a seeming contradiction in the improvement of defensive and response capabilities while budgets are failing to keep up with threats. They say that the conundrum is not the result of gains in productivity and efficiency, but is rather reflective of the range of responses. Of those who report falling budgets and acute skills or resource shortages, just over one in five say they have improved capabilities of threat detection and mitigation.
In other words, most organizations which are not suffering acute shortages from falling budgets are reporting better results, and most which are suffering shortages are not. Maybe you don’t have to outrun the bear; you just have to outrun the other guy.