News: 1725546850

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Security boom is over, with over a third of CISOs reporting flat or falling budgets

(2024/09/05)


It looks like security budgets are coming up against belt-tightening policies, with chief security officers reporting budgets rising more slowly than ever and over a third saying their spending this year will be flat or even reduced.

The same is true for staffing levels, according to the [1]fifth annual survey of CISOs carried out by security analyst house IANS Research. Over a third of the 755 security bosses polled admitted they weren't hiring, although overall staffing growth rates were less than half of those seen in 2022.

"There's still a continuing talent shortage, so finding and retaining people is very challenging," Nick Kakolowski, senior research director at IANS, told The Register .

[2]

"Anecdotally, the biggest factor [in retention] ends up being opportunities for growth. If there's no way forward, people feel they are stagnating, especially after two to four years. It's a very special job that has levels of stress that exceed other roles."

[3]

[4]

The survey does note that overall security spending is still up 8 percent in 2024, although nowhere near the heady days of 2021 (16 percent growth) and 2022 (17 percent). Kakolowski attributed this slowdown not to a general malaise but more to the fact that some sectors, notably manufacturing, had been playing catch-up on their security spending and were now up to speed.

[5]CISOs' salary growth slows – with pay gap widening

[6]What a glimpse inside the Black Hat NOC reveals about infosec pros' security habits

[7]Inflation, recession, pah! IT budgets set to rise in 2023

[8]Uncle Sam orders federal agencies to step up scans for govt IT security holes

An encouraging sign also is that security spending as a proportion of the overall IT budget is on the rise, up from 8.6 percent in 2020 to 13.2 percent this year. That trend looks set to continue, Kakolowski opined, but still security spending was typically less than 1 percent of the revenue of those quizzed.

The survey also showed signs that, at last, the C-suite execs are grokking the need for security spending. This is in part down to last year's [9]SEC rule changes on reporting security incidents ( The Reg 's full guide on the topic is [10]here ) as well as concerns over corporate liability to lawsuits.

The recent string of third-party supplier hacks also has board members (and CISOs) concerned. The question is, Kakolowski suggested, how you verify partners and whether companies should hire other orgs to check on supplier security.

[11]

"No one has the definitive solution, but people are figuring out how far they need to go to secure their organizations," he explained.

Finally, on the subject of cyber insurance, the market is booming, and not because CEOs and CISOs think it necessarily fully covers them. It's key that if an insurance contract is entered into, the terms and conditions are carefully checked, he warned, to make sure that if the worst happens, someone actually pays up. ®

Get our [12]Tech Resources



[1] https://www.iansresearch.com/resources/ians-security-budget-benchmark-report

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZtnVoSkchalPIihu11oQVgAAAUI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtnVoSkchalPIihu11oQVgAAAUI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZtnVoSkchalPIihu11oQVgAAAUI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2023/10/11/cisos_salary_growth_slows/

[6] https://www.theregister.com/2024/08/12/black_hat_security/

[7] https://www.theregister.com/2022/09/27/it_budgets_2023_inflation_recession/

[8] https://www.theregister.com/2022/10/04/cisa_software_vulnerability_directive/

[9] https://www.theregister.com/2023/07/26/sec_reporting_security/

[10] https://www.theregister.com/2024/05/22/sec_cybersecurity_disclosure_clarification/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtnVoSkchalPIihu11oQVgAAAUI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[12] https://whitepapers.theregister.com/



An encouraging sign

abend0c4

It may be an encouraging sign for technology suppliers that they get to foist on to their customers more of the ever-increasing cost of remediating the deficiencies in their commercial products, but I'd be more encouraged if the law started tightening up on those "fit for purpose" disclaimers.

My My, hey hey
Rock and roll is here to stay The king is gone but he's not forgotten
It's better to burn out This is the story of a Johnny Rotten
Than to fade away It's better to burn out than it is to rust
My my, hey hey The king is gone but he's not forgotten

It's out of the blue and into the black Hey hey, my my
They give you this, but you pay for that Rock and roll can never die
And once you're gone you can never come back There's more to the picture
When you're out of the blue Than meets the eye
And into the black
-- Neil Young
"My My, Hey Hey (Out of the Blue), Rust Never Sleeps"