As survey respondents explained in the report, If they can’t secure funds for more tools, then the budget they do have must work harder.
According to Cisco's 2017 annual security report, in 2016, 35% of security professionals said that budget was their biggest obstacle to adopting advanced security processes and technology.
As in 2015, compatibility issues with legacy systems was the second-most-common obstacle: 28% named compatibility in 2016, compared with 32% in 2015. "Money is only part of the problem. For example, compatibility issues speak to the problem of disconnected systems that don’t integrate. And concerns about the lack of trained personnel highlight the problem of having the tools but not the talent to truly understand what is happening in the security environment," the report highlighted.
The struggle to find talent is a concern, considering the expertise and decision-making abilities needed to fight targeted attacks and shifting adversary tactics. The report noted that a well-resourced and expert IT security team, paired with the right tools, can make technology and policies work together and achieve better security outcomes.
Whatever the constraints, security professionals need to ask hard questions about the barriers that limit their ability to face coming threats.
For example, when it comes to budget, how much is really enough? As survey respondents explained in the report, security teams must compete against many other corporate priorities, even within the IT setting. If they can’t secure funds for more tools, then the budget they do have must work harder. For example, automation can be used to offset limited manpower.
Aside from those limitations mentioned in the report, security professionals are also placing slightly less emphasis on security operationalization. This trend may raise concerns that security professionals are building a suboptimal security infrastructure. Signs of a weakening focus on operationalization can indicate that organizations are not prepared to defend a widening attack landscape.
For instance, in 2016, 53% of the respondents strongly agreed that they review and improve security practices regularly, formally, and strategically; in 2014 and 2015, 56% strongly agreed. Likewise, in 2016, 53% said they strongly agreed that they routinely and systematically investigate security incidents, compared with 55% in 2014 and 56% in 2015.
"If security professionals are slipping in their goals to put security into use, then it may not be a surprise that they can’t effectively deploy the tools they have, much less add new tools. And those tools need to provide a holistic picture of what is going on in the network environment," the report noted.
The lack of integration in security can allow gaps of time and space, where bad actors can launch attacks. The tendency of security professionals to juggle solutions and platforms from many vendors can complicate assembling a seamless defense. According to the report, a majority of companies use more than five security vendors and more than five security products in their environment. 55% of security professionals use at least six vendors; 45% use anywhere from one to five vendors; and 65% use six or more products.