The 2018 CIRA Cybersecurity Survey results underscore a lot of the trends we have heard from earlier reports on hiring in cybersecurity. It is really a bright time to get into the field. I mean, there has to be a glass half-full answer to the massive upswing in cybercrime right?
With our cybersecurity survey, we wanted to understand the needs and trends facing organizations that have between 10-499 employees. This segment of the market employs about half of all Canadian workers and is a significant contributor to our GDP. Cyber attacks on large enterprises generally grab all the headlines, and no doubt large businesses are an attractive target for cyber criminals, but in reality 7,0 per cent of data breaches happen to companies with fewer than 100 employees. This makes sense since smaller businesses don't have the resources to implement and maintain deep security stacks. Their vulnerability makes them an attractive target for cyber criminals.
How many resources are we talking about? IT security is a costly affair with the majority of respondents indicating they spend 10-14 per cent of their IT budget on cybersecurity. If you think this seems small, then consider that this is a IT spending category that does nothing to improve the end product or service of an organization.
Percentage of overall IT budget devoted to external cybersecurity service providers
- Percentage of overall IT budget devoted to external cybersecurity service providers
- 14% Less than 5%
- 12% 5 to 9%
- 40% 10 to 14%
- 4% 15 to 19%
- 8% 20 to 24%
- 4% 25 to 29%
- 8% 20 to 49%
- 10% 50% or more
- 26% Don't know
Additionaly, 51 per cent of respondents indicated that they outsource cybersecurity to consultants. This was even more pronounced among those small businesses with larger IT departments. Presumably, a larger IT department means a more informationally complex business and so the team would recognize the importance of specialized expertise as it relates to security.
Forward thinking: how do small businesses plan for the future of cybersecurity?
Our survey provides a good snapshot of the cybersecurity landscape for Canadian SMBs today, but as the tactics of cyber criminals continue to evolve, it is important to look to the future. Here's what the respondents indicated they were looking forward to doing in the next year:
- 29 per cent expect to increase their investment in cybersecurity.
- 12 per cent expect to hire more staff.
- 16 per cent expect to hire new service providers.
So if you know of any students out there who are making decisions on what to do after high school: may we suggest something that lends itself to a job in the field of cybersecurity? The federal government's National Cyber Security Strategy addresses the need for talent in the cybersecurity sector and says we can encourage more students to move to STEM fields and specialize in skills needed in cybersecurity jobs. Automation and tools will always be a part of a SMB's toolbox to fight cybersecurity, but they are going to need staff on their side as well. Where is the rest of the investment going? Any good security stance requires layers that protect each other and the core and that increase the quality of stewardship organizations have on our data. For organizations, the challenge is to find the right balance between cost, simplicity and efficacy that reduces risk.