Compliance mandates, cybersecurity best practices dominate 2019 security priorities

The security landscape is never static. Smarter cybercriminals, evolving malware, more regulations and higher financial and national security stakes force organizations and their security teams to constantly adjust priorities.

The IDG 2019 Security Priorities Study, released at the end of July 2019, helps to define how those priorities are changing for the next 12 months. The study is based on a survey of 528 security professionals worldwide. It covers cybersecurity spending, reporting structures, technology adoption, and the driving factors behind all of it.

Below are the most significant takeaways from the study.

Security budgets are rising

Nearly all companies expect to have more or the same amount of money to spend on security in the coming year, but not necessarily on things security professionals believe they need the most. You can thank new privacy and security regulations for that. Two-thirds (66%) of the respondents said compliance mandates were a driving factor for security spending. Some respondents (27%) see compliance mandates as a distraction from strategic initiatives, however.

Only 4% of respondents expected their security budgets to go down, while 50% expected an increase and 46% expected the budget to be flat. Other determining factors for security budgets were best practices (73%), responding to a security incident at the organization (39%), mandates from the board of directors, and responding to a security incident at another organization or a business partner (55%).

Study authors note that while headline-making breaches like the 885 million record breach at First American Corporation have driven security spend increases in the past, this year’s study shows less influence on security budgets. “Instead, the biggest drivers by far are best practices and compliance mandates. Both of these answers have often-debated drawbacks. Experts note that even well-established best practice frameworks from NIST and COBIT are limited and organizations can struggle to implement their directives in each unique context, and with the greatest possible effect,” said the study’s authors.

Protecting sensitive data the top priority

The EU’s General Data Protection Regulation (GDPR) went into effect in May 2018. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. These and other existing or upcoming privacy regulations have sharpened organizations’ focus on protecting personally identifiable information (PII). That’s reflected in the IDG study with 59% of respondents saying it’s their top priority.

The next-highest priority will directly contribute to protecting PII as well as other assets. Security awareness training (44%) is widely seen as an effective way to cut down on phishing and other social engineering attacks. Upgrading IT and data security to boost resiliency (39%), improving understanding of external threats (34%), better leveraging data and analytics (24%), and reducing IT security infrastructure complexity (22%) round out respondents’ top priorities.

Top security investment in staff, but not by much

 A quarter of security spend will go to skilled staff, according to the study. That’s the highest percentage of spend, but tools and technology (23%) and infrastructure and equipment (22%) are right behind. Only 11% of security spend is going to cloud services, while 12% is going to contracted services.

Half of all smaller organizations lack a top security executive

While 88% of enterprise-class organizations have a top security executive, only 51% of small- to medium-sized businesses (SMBs) do. Most of those top executives have the CISO or CSO title (74% at enterprises, 28% at SMBs).

Top security executives most commonly report to the CIO (31%). A significant percentage (22%) report directly to the CEO and 7% report directly to the board of directors.

Zero-trust is hot, blockchain not so much

Nearly half of all respondents say they are actively researching zero-trust technology, or it’s on their radar. Thirty-six percent say they are researching blockchain, but 50% say they have no interest in blockchain technology—the highest “no interest” percentage by far of all technologies listed in the study.

IDG Communications, Inc.

“The survey results show mixed uptake for some tools and approaches that could be considered new or a departure in some meaningful sense from security-as-usual,” said the report’s authors. “These include zero-trust technologies, DevSecOps, deception technologies, and big data analytics, which form the basis for emerging applications of machine learning and, eventually, artificial intelligence.”