The Index of CyberSecurity is one of the only instances of the use of the word cyber that doesn't make me immediately want to rip my own flesh off. Its somewhat similar to the economic measure - Purchasing Manager's Index in that it gathers data from the people with their hands on the wheel. Since the PMI shows the demand side, its interesting that the monthly question this month addressed the demand side for ICS, asking
"Given the current threat environment, the relative ease of obtaining funding and resourcing in the recent past for cyber security threats from your organization's senior leadership has:"
This is not a new trend, security spend has increased more than almost anything else in IT over the last decade. Don't believe me? Try to swing a dead cat and not hit a Security Conference. Here is the thing though, will these dollars be invesed well? Or will they just be spent on the shiniest, silverbulletist, golfiest, and boothbabiest security gee gaw that's close at hand? This matters! I know about the Red Queen, and I know there is a lot of catchup to be played, but we have to start investing wisely.
Its one thing to say that attackers are getting better all the time (true) and its valid to say that organizational change that benefits security is hard, but at the same time if the budget dollars creates malinvestment, well that one is on our industry. Don't ask Gartner what others are spending - Find your moat and defend it.
So we have people's attention, as in execs. Almost not a day goes by without a "cybersecurity" story in the FT or WSJ, this is what execs read (those who do) and the message is getting through. There is a lot of catch up to be played, the spending is going up, but what about quality? Is it sustainable security that we are building or malinvestment wasteful spend?