What a Pragmatic CISO Can Learn from the Gartner Information Security Spending Forecast

Share and earn Cybytes
Facebook Twitter LinkedIn Email

While we see Gartner’s 2017 information security spending forecast setting the industry abuzz with prospects of seemingly unstoppable growth – reaching $86.4 billion this year and topping the magical $100 billion mark in 2019 [1] – let’s look beyond the numbers to see what a pragmatic security leader can learn from it.

Gartner’s Reality Check

There’s a maturity journey that every security organization travels on, but it’s easy to lose sight of the fundamentals given all the noise in the field today.  Gartner tackles this head on, with Sid Deshpande noting, “Improving security is not just about spending on new technologies. As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.” [emphasis added] [2]

The fact is there’s less tolerance than ever for not mastering the security fundamentals.  If you don’t know what devices (physical and virtual) are on your networks, what software is installed on them, how they’re configured, and what vulnerabilities may exist on them, then you’re literally flying blind.  The lack of a strong security foundation has brought increasingly severe consequences, as the threat landscape has evolved from script kiddies to hacktivists to professional cyber-criminals expert in social engineering and ransomware. WannaCry alone is projected to cause up to $4 billion in damage, and the industry still hasn’t learned its lesson.

And adoption of new digital initiatives is putting even more pressure on security teams to do the basics well.  Digital transformation is a reality for every organization today – no matter the industry or size, public or private sector – from public cloud adoption that unleashes on-demand scalability, to DevOps approaches that accelerate innovation, to new digital touchpoints that delight customers and strengthen loyalty.  As if the fundamentals weren’t hard enough before, now information security teams must wrestle with assets they often can’t see (containers), can’t control (line of business-managed cloud and SaaS, and industrial IoT / OT), and which live off-network (mobile devices and laptops).

Gartner forecasts rapid growth in the security testing market, which we see due to the adoption of DevOps. Gartner notes, “The use of automated and integrated application security testing – according to research – is considered the leading priority as the most critical technology to adopt in order to improve application resilience and integrity.” [1] The challenge of visibility and protection is greatest with dynamic, short-lived technologies like containers.

The key questions every CISO wants to understand – what do I have, where am I exposed, what should I do about it? – are more difficult than ever to answer.  That’s why Tenable is helping organizations address them as we pioneer the emerging discipline of Cyber Exposure.  Cyber Exposure will help both operational security teams and senior executives manage and measure their modern attack surface, so they can accurately understand and reduce their cyber risk.

CISO Takeaways

The pragmatic CISO can take away three learnings from Gartner’s announcement and other recent news:

First, don’t get distracted by the latest “shiny objects” if you haven’t mastered your foundational security controls.  The newest machine learning-powered threat detection solution or hyped-up deception technology might be helpful for some organizations, but consider if they’re right for you today.  If you haven’t locked the doors on the first floor of your house, do you really need bullet-proof windows on your second floor?

If you haven’t locked the doors on your first floor, do you really need bullet-proof windows on your second floor?

As Facebook CISO Alex Stamos noted at Black Hat, “Too many security researchers are focused on ‘really sexy, difficult problems’ that don’t address the common vulnerabilities that allow malware attacks to wreak havoc.”  The impact of WannaCry makes his point perfectly – think about how many hot new technologies in production were powerless to stop it.

Second, strengthen your security foundation.  It’s never too late to refocus on the fundamentals.  As Tenable CEO Amit Yoran implored the industry, “We should celebrate defense.  We focus on the threat of the day, the attack of the day, instead of focusing on the foundational issues.”

For those looking for an objective security framework to measure progress, the Center for Internet Security (CIS) Critical Security Controls (formerly the SANS Top 20) is a great place to start.  Other useful frameworks include the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001/27002.  Moreover, progress can be rapid and meaningful.  A recent survey conducted by CIS and Tenable showed that among companies that started adopting a framework more than a year ago, 35 percent have automated 11 or more of the 15 foundational subcontrols, and even among those who started adopting one less than a year ago, 25 percent have automated six or more subcontrols.

Third, leverage outside help where it makes sense.  According to Gartner, “Security services will continue to be the fastest growing segment, especially IT outsourcing, consulting, and implementation services.” [2] Managed security services (MSS) can be a lifeline for many security teams struggling with staffing constraints.  Figure out what you need to manage in-house, and explore options for outsourcing other functions.  Tenable’s recently announced managed security services provider (MSSP) program will offer even more options for organizations.

Ultimately, vulnerability management must evolve to deliver even more value to security teams and executives.  Tenable has an expansive vision for how vulnerability management will evolve into Cyber Exposure by translating and contextualizing technical data into business terms:

  • Not just raw vulnerability data, but the actual cyber risk for your organization
  • Not just results, but context and guidance on what action to take
  • Not just technical reports, but business metrics and visualizations that executives can understand

For information on how Tenable can help your organization build a successful vulnerability management program, download this whitepaper or contact us today.


[1] Forecast Analysis: Information Security, Worldwide, 1Q17 Update. Elizabeth Kim, Christian Canales, Ruggero Contu, Sid Deshpande, Lawrence Pingree. June 13, 2017.

[2] Gartner press release, Gartner Says Worldwide Information Security Spending Will Grow 7 Percent to Reach $86.4 Billion in 2017, August 16, 2017.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?