It looks like security budgets are coming up against belt-tightening policies, with chief security officers reporting budgets rising more slowly than ever and over a third saying their spending this year will be flat or even reduced.
The same is true for staffing levels, according to the fifth annual survey of CISOs carried out by security analyst house IANS Research. Over a third of the 755 security bosses polled admitted they weren't hiring, although overall staffing growth rates were less than half of those seen in 2022.
"There's still a continuing talent shortage, so finding and retaining people is very challenging," Nick Kakolowski, senior research director at IANS, told The Register.
"Anecdotally, the biggest factor [in retention] ends up being opportunities for growth. If there's no way forward, people feel they are stagnating, especially after two to four years. It's a very special job that has levels of stress that exceed other roles."
The survey does note that overall security spending is still up 8 percent in 2024, although nowhere near the heady days of 2021 (16 percent growth) and 2022 (17 percent). Kakolowski attributed this slowdown not to a general malaise but more to the fact that some sectors, notably manufacturing, had been playing catch-up on their security spending and were now up to speed.
- CISOs' salary growth slows – with pay gap widening
- What a glimpse inside the Black Hat NOC reveals about infosec pros' security habits
- Inflation, recession, pah! IT budgets set to rise in 2023
- Uncle Sam orders federal agencies to step up scans for govt IT security holes
An encouraging sign also is that security spending as a proportion of the overall IT budget is on the rise, up from 8.6 percent in 2020 to 13.2 percent this year. That trend looks set to continue, Kakolowski opined, but still security spending was typically less than 1 percent of the revenue of those quizzed.
The survey also showed signs that, at last, the C-suite execs are grokking the need for security spending. This is in part down to last year's SEC rule changes on reporting security incidents (The Reg's full guide on the topic is here) as well as concerns over corporate liability to lawsuits.
The recent string of third-party supplier hacks also has board members (and CISOs) concerned. The question is, Kakolowski suggested, how you verify partners and whether companies should hire other orgs to check on supplier security.
"No one has the definitive solution, but people are figuring out how far they need to go to secure their organizations," he explained.
Finally, on the subject of cyber insurance, the market is booming, and not because CEOs and CISOs think it necessarily fully covers them. It's key that if an insurance contract is entered into, the terms and conditions are carefully checked, he warned, to make sure that if the worst happens, someone actually pays up. ®