Information security functions have become far more important to their companies in the past decade, and that’s reflected in how the resources they’re allocated has grown and grown.
For 2017, staffing and budget numbers will increase yet again, but spending on staff training is flat, headcount growth rates are declining, and current levels of budget growth may not be sustainable. Overall, there are a few changes that information security teams should expect in the coming year; the slide below has highlights.
Click slide to enlarge
Security Staffing and Budget Increases
Companies continue to increase information security spending — in fact, this is the seventh continuous year of budget increases for security, with a compound annual growth rate of 6% from 2010 to 2013 and 11% from 2014 to 2017.
On the staffing side, there’s a similar story. Security functions are growing in size (see chart 1), and spending on staff continues to be the largest share of security spend, – it was 40% in 2016.
Chart 1: Total information security staff Percentage of organizations; n=85 Source: CEB 2016 Controls Maturity Benchmarking Survey
Note: Totals may not equal 100% due to rounding.
Clouds on the Horizon
Unfortunately, it’s not all good news, as solid staff and budget growth this year may not extend into the near future.
Security headcount growth rate is declining (and Talent Needs May Shift): While security headcount continues to grow, the current growth rate (5%) is below past years. In addition, technology trends — such as Agile, DevOps, and automation — may shift Information Security’s talent needs and disrupt security roles that have historically been in high demand.
Experienced security staff may want to explore options for upskilling in these emerging areas, with an emphasis on data science, automation, and iterative development methodologies.
Security budget growth may not be sustainable: Information Security’s share of the IT budget continues to rise year-over-year, but at a declining rate of growth. Security budgets grew an average of 16% in 2016 but are poised to only grow 9% in 2017. This is perhaps an early indication that annual budget growth is not an indefinite trend for information security functions, especially in an environment where IT budgets are projected to stay flat in 2017.
Information security professionals in CEB’s networks also feel that senior leadership and boards of directors are increasingly pushing CISOs to demonstrate the value of their efforts, and to defend large expenditures.
Security staff training is flat (and at risk of declining): Staff training investment per information security employee in 2016 was flat compared to 2015 and below the peak of 2014. While training spending still remains robust today, factors such as decreasing security budgets, budget scrutiny, growing head count, high attrition rates, and economic uncertainty could all affect learning and development spending — especially as this is a discretionary budget item.
Security staff should look to take advantage of L&D opportunities now, as it might be their last chance.