NewtonX market research revealed this week that 56% of organizations surveyed subcontract as much as 25% of their cybersecurity work. In the study, more than 100 chief information security officers, CTOs, and other senior decision-makers indicated a trend toward subcontracting one of the most critical roles continually facing enterprise professionals.
“[Chief information security officers] and CIOs/CTOs are finding it extremely difficult to hire and retain qualified cybersecurity staff. As a result, they are forced to look elsewhere for talent,” said Sascha Eder, cofounder and CEO of NewtonX. “A surprisingly large percentage — 56% — of organizations are addressing the hiring crunch by subcontracting at least some portion of their cybersecurity teams, most often to managed service providers.”
Despite the fundamental importance of cybersecurity, 40% of organizations surveyed responded that cybersecurity costs amount to 10% to 15% of total IT budgets. Despite the dangers that data breaches tend to have, the percentages are actually in a consistent range, according to Eder. “The 10-15% range is consistent with a Deloitte study that found financial services institutions spent around 10% of the total IT budget on cybersecurity,” he said.
In addition, as a general rule, Eder suggested that the degree to which budgets have grown to address the rising cybersecurity threat is more important than the size of the budget itself.
Supplementing overstretched IT teams
Standout spending areas include cyber monitoring/operations and endpoint and network security, which accounted for 50% of total cybersecurity budgets. Yet only two-thirds of respondents saw increases in those budgets, ranging from as low as 5% to as high as 50%, while the remaining one-third stayed the same.
Based on the facts and forecasts, this indicates cybersecurity leaders still believe budgets fall woefully short when it comes to the momentous task of controlling and preventing cyberattacks. Because of this, in an attempt to avoid vulnerabilities, understaffed cybersecurity departments look to subcontracting as a means of supplementing their own cybersecurity teams.
As VPN and DDoS attacks are expected to reach 11 million incidents by the end of 2021, along with the other influx of woes facing cybersecurity gatekeepers and insufficient resources — are all factors driving cybersecurity decision-makers to choose managed-service providers over in-house IT teams. CrowdStrike, Palo Alto Networks, and Microsoft were rated the leading managed-service cybersecurity providers in the NewtonX survey.
No budget for ransomware
Another reason security administration professionals may lie awake at night is the lack of budget for ransomware. “One interesting insight for us was how divided people are on laws restricting ransomware payments,” explained Patiwat Panurach, VP of strategic insights and analytics at NewtonX.
The survey showed that 39% of respondents agreed with proposed legislation limiting or banning such payments, while 26% disagreed.
“It’s not surprising, then, that 72% of companies polled don’t even have a ransomware budget, which just goes to show how much uncertainty there is about the impact of any such restrictions,” Panurach said.
Will regulators allow a ransom to be paid if the cost of not paying is a large, possibly politically damaging, disruption to high-profile services? Either way, firms should be increasingly vigilant as the volume of attacks continues to increase.