Security operations · 3 MIN READ · CHRIS WAYNFORTH · APR 19, 2023 · TAGS: MDR
We recently surveyed 500 IT decision-makers (ITDMs)—including IT and security execs, directors, and managers; owner/proprietors; partners; board chairs and members; chief executives; and managing directors—to get a better sense for the state of cybersecurity in the UK. The report, The UK cybersecurity landscape: challenges and opportunities, was released today. Some of the findings align with our expectations, while others surprised us.
And while at first glance, the findings may paint a scary picture, there’s lots of opportunities for security leadership and teams to improve their strategies and capabilities.
Here’s a preview of our top findings.
1: ITDMs rate cybersecurity third on their list of concerns, but those in IT-specific roles see it as the biggest problem.
It’s rough going in the UK right now, as businesses deal with (among other things) the cost-of-living crisis, the looming prospect of a recession, and ever-changing customer expectations.
Despite these worries, half of all respondents highlighted security (50%) as a top challenge for 2023, behind energy prices (61%) and the economic climate (54%). However—perhaps owing to their proximity to the daily activity of the security operations centre (SOC)—IT departments see it as the most daunting challenge they face. Respondents also noted worries over sustainability, soaring customer expectations, and a global talent shortage.
2: A significant amount of the allotted security budget is going unused.
ITDMs surveyed report a median annual security budget of £200,000, which (predictably) varies by company size.
Surprisingly, though, the survey found that, on average, 26.7% of allocated security budgets went unspent. This equals an average of £53,400 in available cybersecurity budget was unused in 2022. Twenty-one percent of respondents reported spending 50% or less of their security budgets.
3: U.K. organisations face tremendous security-related fatigue.
Security teams have their hands full. In addition to fighting the bad guys (investigating and researching alerts, responding to cybersecurity incidents, threat hunting, etc.), they’re also asked to conduct cyber hygiene training for employees, implement and integrate new security tools, and, by the way, train themselves so they can stay abreast of the latest hacker best practices (or perhaps we’d call these worst practices).
To complicate every step in the journey, they spend a huge chunk of time on low-priority alerts and false positives. This, in turn, leads to the much-discussed phenomenon of alert fatigue, which occurs when a constant barrage of alerts hits the SOC’s queue and the team either can’t deal with the volume or becomes de-sensitised to them.
The result? Analysts either take longer to respond or ignore the alerts completely.
Adding insult to injury is a talent shortage of about –3.4 million security professionals, a number roughly equal to the combined population of the cities of Birmingham, Glasgow, Liverpool, Bristol, and Manchester, and representing an increase of more than 26% over 2021, per (ISC)². This results in defenders finding their cybersecurity work frequently infringing on their private lives.
Ninety-three percent of respondents say work related to IT management and cybersecurity risk has forced them to cancel, delay, or interrupt personal commitments.
Thirty-four percent of the total say this happens all or most of the time, as do 43% of IT team members and 38% of CIOs/CTOs. (Many organisations, especially in the 250-1,000 employee tier, don’t have a dedicated security team, and in these cases, the IT team is responsible for security operations.)
What impact can this eventually have?
4: The resulting burnout threatens security and causes staff turnover.
A distressing number of those charged with safeguarding the business against cyberattackers experience burnout (61% of all respondents and a whopping 70% of IT and security pros say they or members of their teams are victims). That those in the trenches—security and IT teams—report higher numbers than everyone else suggests the problem may be worse than company leaders realize.
As we know, burnout is unsustainable. In the absence of internal remedies, the risk that workers will exit increases. In this case, respondents believe there’s better than a 50% chance they’ll lose people in the coming year.
Of particular interest: these folks report they’re thinking of leaving the “cybersecurity industry,” not just their current company. This should be a very concerning finding for U.K. organisations, as it suggests the already thin talent pool could shrink further.
5: Because of all these challenges, UK organisations tend toward a tactical and reactive approach vs. a forward-looking, strategic one.
Thirty-eight percent of respondents indicated mandatory regulation as the most common driver for further security investment. The next two responses will also sound familiar to security leaders: responding to a breach (32%) and improving security for maturing businesses (29%) are the next most common drivers of investment.
Fewer organisations seem motivated by customer-driven requirements (25%) and executive input (22%).
The overall picture is of an industry operating as largely responsive and tactical vs. proactive and strategic. And in looking at the rest of the findings in our research, it’s no wonder! Cybersecurity is already a hard job–the added challenges we found make it even harder!
Given these challenges, it’s very difficult for security leaders to shift their mindset, but organisations get the best outcomes when engaged leadership sees security budget as a business-enabling investment instead of a cost centre and commits to evolving around the user.
The full report is, in some places, a confirmation of many ITDM concerns. In others, it’s a bracing splash of cold water. In all cases, it’s insightful and provides useful guidance for those plotting their security strategies for the coming year and beyond.
We encourage you to download your copy today and spend a few minutes with it (it’s actually briefer than you might expect, and also includes a football analogy you might appreciate).
If you have comments or questions, please drop us a line.