Cybersecurity remains an elusive business priority

I’ve been remiss by not blogging earlier this year about ESG’s annual IT spending intentions research. The year 2017 continues to follow a pattern: Cybersecurity is a high business and IT priority for most organizations. 

Based upon a global survey of 641 IT and cybersecurity professionals, the ESG research reveals:

• While just over half (53%) of organizations plan on increasing IT spending overall this year, 69% said they are increasing spending on cybersecurity. As far as cybersecurity spending goes, 48% will make their most significant cybersecurity technology investments in cloud security, 39% will in network security, 30% in endpoint security, and 29% in security analytics.   
• Respondents were asked which business outcomes were their highest priorities for this year. The top three results were as follows: 43% said “reducing costs,” 40% said “increasing productivity,” and 39% said “improving information security.” 
• When asked which business initiatives will drive the most IT spending, 39% said “increasing cybersecurity,” the top selection of all.
• When asked to identify the most important IT initiatives for this year, the number one answer was “strengthening cybersecurity controls and processes.” 
• For the sixth year in a row, survey respondents said cybersecurity is the area where their organization has the biggest problematic shortage of skills. This year, 45% of organizations said they have a problematic shortage of cybersecurity skills—nearly identical to last year’s results (46% said they had a problematic shortage of cybersecurity skills in 2016).

Allow me to provide a bit of analysis to this data (after all, I am an industry analyst):

1. There is growing demand for cybersecurity technologies, so 2017 should be another banner year for vendor revenue, VC investment, M&A activity and IPOs. 

2. Boards are getting more involved in cybersecurity, which is driving more demand for data and metrics. In other words, executives are willing to spend on cybersecurity, but they want to better understand what they get for their money. Executive reporting tools for cybersecurity will grow precipitously. 

3. Corporate boards want to transfer risk, so demand for cyber insurance policies shows no end in sight. 

4. The pool of next-generation CISOs who understand business initiatives, operations and cybersecurity technology is extremely shallow. We need more and better programs to train people for these critical jobs.

5. Every CISO should be investing in skills and best practices for cloud security and figure out where cloud-centric controls can supplement or replace traditional security controls. 

6. Once again, there is no near-term improvement for the cybersecurity skills shortage.  Expect:

a. Continued salary inflation

b. Growth for professional and managed security services

c. More technologies featuring artificial intelligence and automation that can offload human tasks