Olivier Le Moal - stock.adobe.co

Tech vs. training: Where should business focus cybersecurity spending?

As information security budgets grow, cybersecurity spending needs to be focused on employee-centric areas like training to be effective. ISSA's Candy Alexander explains why.

Over 60% percent of surveyed cybersecurity professionals said their companies are failing to provide them with appropriate level of training needed to keep up with business and IT risks, according to a recent ESG-ISSA study. This could create undue risk for companies, according to Candy Alexander, member of the ISSA International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle: The lack of training often leaves cybersecurity professionals without the skills necessary to properly execute the company's security technology and methodologies, Alexander said during a recent press teleconference. 

In this Ask the Expert, Alexander explains why focusing cybersecurity spending on training helps improve the effectiveness of existing information security technology and processes.

Editor's note: The following transcript has been edited for clarity and length.

Does having an appropriate budget for cybersecurity have more impact than training? Where should organizations focus their cybersecurity spending?

Candy Alexander

Candy Alexander: You really need to have the appropriate sized budget in order to have the appropriate sized staff and the skilled staff. So of course, more skilled staff, more experienced staff, is going to require more budgets. I don't necessarily see them separate, but one supporting the other.

But when you look at an organization's budget for cybersecurity, look at the percentage of that budget that's allocated for tools and technology. Cybersecurity budget is completely one sided on spending for that tool-perspective, whereas we need to start making that shift and look at investing in the training. If we do not invest in the skills, then cybersecurity professionals are not going to know how to use the technology or how to use methodologies to implement the technology effectively.

A lot of organizations will spend all kinds of money on technology and not fully utilize them. This is something that as a risk assessor, when I go into an organization, that's what I'll look at. What do they have for technologies and how well they are being implemented?

We need to really take a look at the spending and make sure it is proportionate to what is really needed in the organization. I hate to say it, and it is going to be really unpopular but with a lot of tool vendors, but we really shouldn't build our programs based on the latest technologies. We really need to look at it from a risk perspective, and the old cliché of looking at it from a people process and technology perspective.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG