"I've yet to meet anyone who has all the staff and money they need," says Peter Clissold, information security manager at the Edmonton Police Service, one of Canada's largest law-enforcement agencies. The agency lacks well-segregated IT security roles and doesn't have the staff to carry out demonstrable audit or review exercises, Clissold says. However, he adds, the organization has identified its security gaps and has managed to get support from executives to address those shortfalls.
Managing expectations is important for handling staffing inadequacies, Clissold says. It's vital to define what should be expected from IT security groups--and what they expect from management--to deliver an expected level of service. Security managers must know their business and be innovative and resourceful. "We must be skilled communicators and negotiators with those in senior positions," he says.
Being resourceful often means having users take more responsibility for security measures, says Justin Bell, a security specialist at a Wisconsin engineering consulting firm. Bell's IT staff sends out a monthly security newsletter and E-mail messages that get users to perform tasks that IT might normally handle. For example, during a recent switch from static IP addresses to the Dynamic Host Configuration Protocol, Bell's group took advantage of users' efforts and cut its workload to 30 machines from 360.
Linked to frustration about understaffing is concern that not enough IT dollars are earmarked for security. And sometimes, IT-security managers say, that translates directly to greater organizational vulnerability.
Shrinking Dollars
The survey shows shrinking numbers at both the high and low ends of IT security budgets. Significantly, only 16% of this year's respondents say less than 1% of their IT budget is spent on security, down from 19% who made the same claim last year. However, the portion of readers who put their security budgets at 16% or more of their IT spending shrank as well, down to 7% this year from 9% last year.
"Budgets are increasing, but they're still a sliver of the overall budget," says Kelly Hansen, CEO of information-security consulting firm Neohapsis and a columnist for Secure Enterprise.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
