Security budgets are growing and are being directed toward cloud infrastructure security, but organizations aren’t confident in their SecOps practices. This post shares three insights from our recent security budgeting survey, The State of Security Budgeting in 2018.
When it comes to budgeting for security, where does SecOps fit in? According to a new Threat Stack survey, security professionals aren’t particularly confident in their organization’s ability to bake security into DevOps processes (82% saw at least some room for improvement in this area). At the same time, however, security professionals are concerned about development adding risk (nearly 91% believe development teams introduce new risks). This is especially true in a landscape where security is often sacrificed for speed.
But there is good news. Security budgets are on the rise and are being allocated toward the right places. Companies are directing their budgets to cloud infrastructure and network security, which is essential given that 95% of organizations now leverage CI/CD practices, or plan to do so in the future.
Many organizations aren’t thinking of security as part of the DevOps process, and as a result, they’re seeing increased risk. Even so, the majority of organizations agree that more budget is needed for hiring security talent.
In this post, we’re sharing three SecOps insights from our recent security budgeting survey, as well as their implications for your organization.
1. Security Budgets Are Rising, Particularly in Cloud and Network Security
Security budgets are rising, which is good news to organizations that want to mitigate risk, hire talent, and purchase the right tools. The average annual security technology budget of the organizations surveyed is $651,260.
Encouragingly, security budgets are expected to grow 19% in the next two years. Organizations using containers had slightly higher budgets, with an annual average of $688,134. And startups had the highest average security budgets of all with current budgets at $728,405, expected to rise to $867,704 in the next two years.
The majority of security budgets are being directed toward cloud infrastructure and network security, which is appropriate in 2018 because these are areas where security professionals see the most issues. For example, DevOps teams are leveraging CI/CD practices to build, test, and ship cloud-based applications, which involves many considerations around properly configuring, controlling access, and securing their cloud environments.
Security teams seem to be responding to these concerns directly, naming cloud infrastructure and network security as two areas where security professionals think there could be even more dedicated budget. This is most likely because cloud infrastructure attacks are becoming increasingly sophisticated, while there is a significant increase in the use of containers (where infrastructure configuration errors can open up an even larger attack surface).
2. Despite These Investments, SecOps Confidence is Low
DevOps practices that focus on speed while sacrificing security are introducing many new risks. Organizations were most concerned about developers requiring access to sensitive information (45%) and PII (40%), while 34% worried about developers’ need for admin or root-level permissions. What’s more, 29% of organizations believed their businesses placed more emphasis on releasing applications that work over applications that are secure. This percentage escalated to nearly 40% in startups.
This data aligns with a February Threat Stack survey, where more than half (52%) of companies cut back on security measures to meet a business deadline or objective. In both the October and February surveys, more than 60% of respondents felt that security can slow down the speed of the business. In the October budgeting survey, startups — at 73% — were the most likely to share this belief.
With 82% of the budgeting survey respondents sharing a belief that there’s at least some room for improvement in SecOps processes, perhaps that’s a prime area for future investment.
3. Despite Healthy Budgets, Companies Struggle With a Security Talent Shortage
Two-thirds of organizations feel they need to find the right security talent to manage their solutions. Startups felt particularly strongly about this need (72%), as did those with larger security budgets (77%) and those using containers (71%).
Although security budgets are rising alongside the need for talented professionals, organizations are struggling to find talent, no matter their size or industry. One recent report predicted that there will be 3.5 million open cybersecurity jobs by 2021.
Overall, the budgeting survey indicated some uncertainty around how security budgets should be allocated compared to overall organizational concerns, as well as a general lack of confidence in security strategy, particularly when it comes to SecOps. Businesses should look to trusted vendors and outside advisors to help fill the internal talent and expertise gaps.
More Spending Trends…
These are just some of the insights we found in Threat Stack’s recent budgeting survey. No matter the current status of your security budget, check out The State of Security Budgeting in 2018 report to see how organizations are thinking about their risks and spending — now and over the next two years.