What a Pragmatic CISO Can Learn from the Gartner Information Security Spending Forecast
While we see Gartner’s 2017 information security spending forecast setting the industry abuzz with prospects of seemingly unstoppable growth – reaching $86.4 billion this year and topping the magical $100 billion mark in 2019  – let’s look beyond the numbers to see what a pragmatic security leader can learn from it.
Gartner’s Reality Check
There’s a maturity journey that every security organization travels on, but it’s easy to lose sight of the fundamentals given all the noise in the field today. Gartner tackles this head on, with Sid Deshpande noting, “Improving security is not just about spending on new technologies. As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.” [emphasis added] 
The fact is there’s less tolerance than ever for not mastering the security fundamentals. If you don’t know what devices (physical and virtual) are on your networks, what software is installed on them, how they’re configured, and what vulnerabilities may exist on them, then you’re literally flying blind. The lack of a strong security foundation has brought increasingly severe consequences, as the threat landscape has evolved from script kiddies to hacktivists to professional cyber-criminals expert in social engineering and ransomware. WannaCry alone is projected to cause up to $4 billion in damage, and the industry still hasn’t learned its lesson.
And adoption of new digital initiatives is putting even more pressure on security teams to do the basics well. Digital transformation is a reality for every organization today – no matter the industry or size, public or private sector – from public cloud adoption that unleashes on-demand scalability, to DevOps approaches that accelerate innovation, to new digital touchpoints that delight customers and strengthen loyalty. As if the fundamentals weren’t hard enough before, now information security teams must wrestle with assets they often can’t see (containers), can’t control (line of business-managed cloud and SaaS, and industrial IoT / OT), and which live off-network (mobile devices and laptops).
Gartner forecasts rapid growth in the security testing market, which we see due to the adoption of DevOps. Gartner notes, “The use of automated and integrated application security testing – according to research – is considered the leading priority as the most critical technology to adopt in order to improve application resilience and integrity.”  The challenge of visibility and protection is greatest with dynamic, short-lived technologies like containers.
The key questions every CISO wants to understand – what do I have, where am I exposed, what should I do about it? – are more difficult than ever to answer. That’s why Tenable is helping organizations address them as we pioneer the emerging discipline of Cyber Exposure. Cyber Exposure will help both operational security teams and senior executives manage and measure their modern attack surface, so they can accurately understand and reduce their cyber risk.
The pragmatic CISO can take away three learnings from Gartner’s announcement and other recent news:
First, don't get distracted by the latest “shiny objects” if you haven't mastered your foundational security controls. The newest machine learning-powered threat detection solution or hyped-up deception technology might be helpful for some organizations, but consider if they’re right for you today. If you haven’t locked the doors on the first floor of your house, do you really need bullet-proof windows on your second floor?
If you haven’t locked the doors on your first floor, do you really need bullet-proof windows on your second floor?
As Facebook CISO Alex Stamos noted at Black Hat, “Too many security researchers are focused on ‘really sexy, difficult problems’ that don’t address the common vulnerabilities that allow malware attacks to wreak havoc.” The impact of WannaCry makes his point perfectly – think about how many hot new technologies in production were powerless to stop it.
Second, strengthen your security foundation. It’s never too late to refocus on the fundamentals. As Tenable CEO Amit Yoran implored the industry, “We should celebrate defense. We focus on the threat of the day, the attack of the day, instead of focusing on the foundational issues.”
For those looking for an objective security framework to measure progress, the Center for Internet Security (CIS) Critical Security Controls (formerly the SANS Top 20) is a great place to start. Other useful frameworks include the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001/27002. Moreover, progress can be rapid and meaningful. A recent survey conducted by CIS and Tenable showed that among companies that started adopting a framework more than a year ago, 35 percent have automated 11 or more of the 15 foundational subcontrols, and even among those who started adopting one less than a year ago, 25 percent have automated six or more subcontrols.
Third, leverage outside help where it makes sense. According to Gartner, "Security services will continue to be the fastest growing segment, especially IT outsourcing, consulting, and implementation services.”  Managed security services (MSS) can be a lifeline for many security teams struggling with staffing constraints. Figure out what you need to manage in-house, and explore options for outsourcing other functions. Tenable’s recently announced managed security services provider (MSSP) program will offer even more options for organizations.
Ultimately, vulnerability management must evolve to deliver even more value to security teams and executives. Tenable has an expansive vision for how vulnerability management will evolve into Cyber Exposure by translating and contextualizing technical data into business terms:
- Not just raw vulnerability data, but the actual cyber risk for your organization
- Not just results, but context and guidance on what action to take
- Not just technical reports, but business metrics and visualizations that executives can understand
 Forecast Analysis: Information Security, Worldwide, 1Q17 Update. Elizabeth Kim, Christian Canales, Ruggero Contu, Sid Deshpande, Lawrence Pingree. June 13, 2017.
 Gartner press release, Gartner Says Worldwide Information Security Spending Will Grow 7 Percent to Reach $86.4 Billion in 2017, August 16, 2017.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.