Understaffed, Under Budgeted, and Overworked
Editor’s Note: Part three in a four-part series
In the first two blog posts in our series on the Managed Security in the Enterprise report, we established that cyber security is still a problem and respondents have experienced real loss (see It’s Tough Out There and Threats Equate to Actual Loss). Exacerbating the problems of frequent cyber attacks and mounting losses is the fact that 49 percent of American organizations reported that it is getting somewhat/significantly more difficult to provide security. Our survey respondents attributed their challenges to four areas: increasing security threats (58 percent), not enough staff (57 percent), increasing regulatory demands (44 percent), and limited budget (49 percent). Typically, we would expect to see budgetary limitations more pronounced than staffing challenges. I suspect that we are seeing the opposite due to the global economic downturn.
On that point, we dug deeper on security staffing to understand why it was so challenging for IT departments. In fact, more than one-third of respondents (37 percent) indicated they are somewhat or significantly understaffed. The top cited reasons for these challenges are lay-offs (reported by one-fifth (19 percent) of respondents) and lack of funding (reported by one-fourth (26 percent) of respondents).
Perhaps one surprising aspect of this finding is that respondents are still having a tough time finding qualified applicants even when they do get the budget (27 percent). I would have suspected top security talent becoming more available as a result of layoffs or slow downs on hiring. In our European survey, an alarming 46 percent of organizations reported being understaffing and 42 percent of respondents reported difficulty in finding the right quality of applicants.
In terms of differences in vertical industries, entertainment (53 percent), manufacturing (49 percent), and healthcare (49 percent) all reported more pronounced challenges related to staffing when compared to the average of 39 percent that reported being somewhat/significantly understaffed. In December of 2008, IDC predicted that global IT growth would be halved to 2.6 percent or less as a result of the global economic downturn. However, in January 2009, IDC stated that the security services market would only take a slight cut—dropping from an expected 17.1 percent compound annual growth rate (CAGR) to 15.9 percent through 2012.
My read: organizations are realizing that there is real potential loss on the table from cyber threats, and they can’t handle the function adequately in-house. The problem is so significant that organizations are looking to security services to fill gaps in their security. In the final blog post in the series, we’ll wrap up by talking about the trend toward outsourcing security functions in order to manage these challenges.
Grant Geyer, VP Symantec Managed Services