In the wake of increasingly sophisticated criminal hacks of companies like SolarWinds, Colonial Pipeline, and JBS Foods that touched on fears of national security weaknesses, U.S. politicians all the way up to the White House have been adamant on one cybersecurity requirement: organizations needed to spend more on it to protect the nation. But there’s a problem: in many cases, increased spending on cybersecurity in recent years hasn’t resulted in better protection against hackers.
Public and private enterprises often say that bigger cyber budgets have made them less vulnerable to attack, a finding corroborated in multiple surveys including those conducted by CNBC’s Technology Executive Council, but cybersecurity experts say that often reflects a false sense of confidence, something akin to a magic belief that simply spending more on technology is the solution.
Now, as cybersecurity begins a new cycle of investment as a response to the recent wave of attacks, including Microsoft’s decision to spend $20 billion on cybersecurity over the next five years — a quadrupling of its previous spend — there’s a Catch-22 in the fact that more spending hasn’t meant better defense.
“It’s a big problem,” said Larry Ponemon, chairman and founder of information security think tank Ponemon Institute. “We see lots of organizations making investments in technology that never get deployed.”
The cyber labor shortage as a threat
Microsoft president Brad Smith is focused on spending more as a way to deal with cybersecurity’s big spending problem. The Microsoft executive said in an interview with CNBC’s “Squawk Box” on Tuesday that some of the tech giant’s new spending is being dedicated to helping enterprise clients, especially at the local, state and government level, “just catch up” on implementing security protection that in some cases they already bought but aren’t even using.
One of the biggest reasons cited by Smith and other cyber experts for the disconnect between cyber spending and return on investment in the form of better protection comes down to labor.
FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith (left to right) talk with each other before the start of a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. The hearing focused on the 2020 cyberattack that resulted in a series of data breaches within several agencies and departments in the U.S. federal government.
Drew Angerer | Getty Images News | Getty Images
“I think we have a real shortage,” Smith told CNBC. “Many businesses don’t have the people that they need, either to implement the protections they, in some cases, are already paying for.”
The lack of cybersecurity professionals is not a tech sector problem but a significant problem across all major industries. After a recent White House meeting, the private sector committed to providing skills training to help close a gap of roughly 500,000 unfilled U.S. cybersecurity jobs. Google alone committed to invest more than $10 billion over five years and train 100,000 people.
“We see this ALL the time in our customers,” David Kennedy, founder and CEO of Trusted Sec, wrote in a email. “These companies will buy products, but not include direct staff to support it or else they can’t get the internal funding approval to support it. So the cybersecurity investments are only half installed or not at all and just languish. They barely get any value.”
He added, “Without the right people in position, you’re never going to be secure, no matter how much money you spend. You can’t simply throw money at the problem by buying a lot of fancy new security devices and software, but that’s often what companies do.”
Even within the Fortune 100, many companies are spending a ton of money on new cybersecurity technologies, but lack the right people to implement them correctly, according to Chris Rouland, CEO of Phosphorus Cybersecurity and a former CTO of IBM Security. “There are many companies that are sitting on security solutions that could help protect them from getting breached, but they simply aren’t able to put all of it in place and so they remain vulnerable.”
Microsoft focuses on government flaws
The problem looms largest for smaller companies and local governments, which struggle to compete on salary, creating what Rouland described as “enormous personnel gaps.”
A portion of Microsoft’s new cybersecurity spend is focused on this problem within the public sector. Smith told CNBC that it will provide $150 million in the next year in free engineering services, “to help the federal, state and local governments just catch up so that they can implement the security protection that is already available in some cases, they’re already buying but not yet using.”
Smith noted in recent congressional testimony that even at the level of the federal government, what Microsoft found during reviews of cyber protocols was “troubling” in regards to the disconnect between cyber investments and successful deployment. Even basic cyber hygiene and security best practices, such as multi-factor authentication, were not in place.
Investing more in a cybersecurity team remains a challenge within many organizations where cybersecurity spending cycles and headcount spending budgets are often two separate exercises, according to Brennan Baybeck, past board chair and current board director at IT governance association ISACA, and vice president and chief information security officer for customer services at Oracle.
As criminal hacks become more sophisticated, especially ransomware, it’s sending the cost of cybersecurity hires even higher. That’s led to a recognition from boards of directors that cybersecurity is not just a “tech problem,” and it has created new demand for cybersecurity positions, but also makes it even more difficult to compete for a cybersecurity talent pool that is much smaller than other technology fields, and increases the risk of staff defections before technology can even be deployed, he said.
cyano66 | iStock | Getty Images
ISACA’s recent State of Cybersecurity 2021 survey, which gathered responses from 3,600 information security professionals around the world, found 61% of respondents saying that their cybersecurity teams are understaffed; and 55% of respondents say that they have unfilled cybersecurity positions. Among organizations experiencing more cyberattacks in the past year, 68% told ISACA they are understaffed.
“Now they are waking up,” Baybeck said. “They are seeing you can buy 50 security products but if you can’t get it deployed it’s not helping. … The people aspect is just like the tech investment. It needs to be continuously maintained and lots of programs and security organizations don’t think about that. But we are really trying to change that. The labor shortage has to be part of the plan.”
A gap of hundreds of thousands of workers won’t be quickly filled, but cybersecurity experts say there are a variety of solutions that will help in the years ahead, and the large sums being spent by the biggest tech companies including Microsoft and Google can make a difference.
“The potential implications are enormous, but all the same issues could happen again,” Ponemon said, with cybersecurity teams continuing to make decisions in a silo within an organization, and that leading to a disconnect between spending and effective implementation.
New ways to source tech talent
The cybersecurity industry is thinking differently about how it hires. In the past, many firms limited their search to skilled technologists with a specific skill set, but Baybeck said now many organizations are looking to broader developer and engineering communities to attack problems, such as bad code that can lead to vulnerabilities.
“It’s a lot easier to hire 100 programmers than it is to hire 100 cybersecurity professionals. You simply can’t find them. And when you do, they cost a lot more than software developers,” Rouland said.
In addition to certificate programs to upskill workers from companies including Google, U.S. universities are ramping up their degree programs in cybersecurity and are starting to turn out a lot of new professionals.
“Over time, they will help to close the hiring gap, but in the meantime, companies are going to have to figure out how to staff up in order to stave off these current threats,” Rouland said.
Criminal hacking organizations can be expected to increase their use of AI and automation in the years ahead, accelerating the challenges for human cyber staff to keep up on emerging threats, but these technologies will also be part of the skills gap solution in cybersecurity.
Baybeck said automation will ultimately make cybersecurity less reliant on humans, but it it remains unclear how much of a swing factor technology like AI will be. “We just don’t know how much of a closure we will get,” he said.
The balance between human and automated cybersecurity is already changing. Many security operations centers used to be 100% human-staffed across four levels of response, but now it is common across platforms to have automated solutions at least for the less-serious threat levels. “This is a whole set of resources, 24/7 models, 50 people you would have had to staff before who can now do other things,” Baybeck said. “It takes a big chunk out of the labor force across the globe.”
Self-interest is another factor that will keep big tech motivated.
“The big tech companies will do a lot to create universal standards and they are thinking that if they don’t do something, they will be on the wrong side of the government ledger,” Ponemon said.
But Ponemon worries about what has occurred in past cycles of technology investment, what he referred to as the chaos factor or saturation effect. At the earliest stage of new technology adoption, motivation is high within an organization, but as more complexity arises in deployment, organizations lose confidence in it and the latest technology can become “shelfware.”
“The more you buy and implement, the more likely you are to find there are holes in the technology and need to close the gap,” Ponemon said. “You need to think about all the issues that could go wrong, not just what goes right.”