Increased spending doesn’t translate to improved cybersecurity posture

Security teams are stretched, with not enough people, skills or budget to cope with all their priorities, according to Panaseer.

Average cybersecurity budgets increase in 2023

The survey of over 400 cybersecurity decision makers and practitioners across the US and UK identified nearly one-third have concerns around a lack of security skills and lack of security training budget, and over one-quarter are worried about low security team headcount and low overall security budget.

Yet adoption of processes to ease these concerns remains slow, as more than three-quarters of respondents express concerns that approaches like vendor consolidation will negatively impact security posture.

It is estimated there will be a skills gap of millions of unfilled positions in cybersecurity in the near future. At the same time, enterprises across the technology and cyber industries have been forced to make significant cutbacks and lay-offs in 2023.

Despite an average cybersecurity budget increase of 29% in 2023, respondents say they need a further 40% rise to be confident in their ability to mitigate security risks. With this, more than half would spend money on hiring more security specialists, shortly followed by investment in security awareness training (50%) and upskilling security teams (44%).

Organizations struggle with cybersecurity due to resource constraints

“This requirement for more investment may be a result of 35% of cyber budgets not going towards improving security posture and therefore possibly being considered as wasted. The true figure could be even higher than this, and I’m doubtful that the remaining 65% is being spent on strategic risk reduction, even in large financial sector organizations,” states Andreas Wuchner, Field CISO at Panaseer.

“The worry is the impact this is having on security posture: 74% of respondents to our survey stated their ability to manage cybersecurity posture in their organization is being negatively impacted by a lack of security resources. But the answer is not simply finding more people. Instead, we need to look at where technology can be optimized, where automation can ease workload, and where consolidation can reduce complexity and enable a single source of truth across the IT infrastructure,” added Wuchner.

Gartner found three times as many organizations were pursuing consolidation in 2022 than were in 2020 and, according to the Panaseer survey, 86% of organizations are currently consolidating their security stack. Anxiety is evident around the consequences of consolidation given that 35% of US respondents are very concerned, along with almost 1 in 5 (18%) in the UK.

However, it seems fears don’t match reality. Only 19% of those that haven’t started the process of vendor consolidation expect it would improve their security posture, yet 42% who have begun this journey are now seeing a measurable improvement.

Automation is more commonplace than consolidation

The report found that automation is more commonplace than consolidation in easing industry concerns: 96% automate at least one aspect of their cybersecurity.

According to Marie Wilcox, VP of Marketing at Panaseer and Board Member at the Chartered Institute of Information Security (CIISEC), “This is hugely positive given automation’s role in compliance with evolving legislation. Alongside more stringent mandates in the US National Cybersecurity Strategy around MFA and EDR, and proposals from the Securities and Exchange Commission (SEC) for cyber risk disclosure, the EU’s Digital Operational Resilience Act (DORA) requires that financial services organizations continuously monitor their security and IT systems and tools. To make this possible, automation will be crucial.”

In general, regulation is being welcomed by cybersecurity decision-makers and practitioners. 74% of respondents believe there will be a positive effect on their ability to manage security posture due to new regulations. In the US, 35% see regulation as extremely positive, compared to 12% in the UK. Yet while 82% are confident they’re able to meet deadlines for compliance, 49% still mostly or solely rely on manual, point-in-time audits.

Only 5% rely solely on continuously auditing using automation to demonstrate compliance, indicating the scale of change that needs to occur. It is possible that more budget needs to be given to enable automated processes. Fortunately, 80% of respondents state they have an explicit budget line item for monitoring the effectiveness of security tools, which may include a CCM solution to turn data into powerful insights and replace manual processes with automation.