Since the emergence of information security online, organizations have poured millions of dollars into products promising to increase speed of incident recognition, response times and overall operational efficiencies. 在某种程度上, the idea that automation and enablement work hand-in-hand has proved out over the past several decades. As such, for many years, organizational security budgets have favored products over services. 然而, 弗雷斯特公司最近的一份报告证实了这一点, 在过去的两年里, more funding from security budgets has been dedicated to obtaining services over products. Further research supports that one of the main causes for the increase in service spending is lack of trained professionals and the ability to establish a proper framework in which to perform risk management. This trend may continue to grow as organizations scramble to address their deficiencies.
Observing the field of cybersecurity, it comes as no surprise that good help is still hard to find. 事实上,ISACA的 2020年网络安全状况 indicates that over half of managers in the information security field view their organizations as understaffed. 此外, the average vacancy for a new position on a cybersecurity team remains open, 平均, 至少三个月, 给组织团队施加更多压力. These statistics lend credence to the suggestion that, 而不是适当的人员配置, organizations will reach out to service-offering companies to fill the gap. 蒂姆也免不了, the Vice President of 网络安全 at Digital Guardian, echoed this sentiment at the recent RSA conference, stating that it is “lack of resources and technical capability” that are driving organizations toward greater investment in services. Bandos gave an example of implementing a new data loss prevention (DLP) solution, stating that “it’s hard to implement a DLP program … it’s going to take a while to get a program up and running … services will get you up and running on day one.” Bandos stated that many products will provide companies with the data needed to make impactful decisions and increase their cybersecurity posture, but low staffing and resources results in lack of understanding, time, 或者有意义地使用数据的能力. Bringing in a service can help resolve the issue.
Bandos’ example of efficient data usage aligns with both organizational sentiment and reports that indicate that data ownership does not equal data comprehension. 具体地说, Forrester researchers discovered that organizations with a small security budget place “improving security analytics and capabilities” as their top priority for 2020. This especially makes sense coming from organizations with smaller security budgets – people are always more expensive than services. Bandos provided another example wherein applying certain comprehensive solutions across an entire enterprise could cost over US$1 million, should he hire an in-house team to staff and implement the solution, 每年. 然而, 服务可以提供相同的实现, 定制, 和报告, for a fraction of the same cost – the one-year savings could fuel a multiyear implementation.
Knowing where to apply the saved budget also points to the need for prioritization of effort and funds – and lack of a risk management framework to guide those efforts. 这不足为奇, 根据Forrester, that one of the top priorities for both low-budget and higher-budget security spenders is establishing a formal technology/IT risk framework. No matter the amount of funding organizations devote to cybersecurity, 没有框架, 如那些在 CMMI网络成熟度平台, organizations are unable to apply their efforts effectively. These frameworks can help companies establish their risk profile and understand where their true vulnerabilities lie. 反过来, they can appropriately divert funds and effort to trouble areas and increase their level of security.
The shift of focus in security spending from products to services should not be surprising to anyone watching the cybersecurity field mature. 由于该领域仍处于相对新生阶段, it is understandable that the workforce is not fully developed. While those future cybersecurity professionals grow and learn, organizations will still need to rely on services to fill in the gaps and frameworks to help them identify where those gaps exist.
