IT security spending priorities don’t match threats


IT security spending priorities don’t match threats

WHAT: Time to Rethink Enterprise IT Security, 2015 Black Hat Conference attendee survey.

WHY: Black Hat, the global cybersecurity event management firm, surveyed the “experienced and highly trained audience” attending its annual conference on their enterprise security priorities. 

FINDINGS: The authors report a disconnect between “the threats that keep security professionals awake at night and the tasks that keep them occupied during the day.”  Sophisticated attacks targeted directly at an organization and phishing, social network exploits or other forms of social engineering topped the list of most-concerning threats, followed by amalgam of other top threats ranging from malware, to government espionage, to attacks brought on by mobile devices. 

But the defensive tasks that IT security pros say consume the most time are addressing vulnerabilities introduced by internally developed and off-the-shelf software.  According to the report’s authors, “the data suggests that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.”

Budgetary and spending priorities show that same disconnect.  “The widespread range of spending priorities in the survey shows that budgets may be failing to keep up with the latest threats, and that security professionals are not able to tune that spending to meet their most current concerns,” the report asserted.  A shortage of skilled professionals also impairs organizations’ abilities to respond adequately to potential threats and breaches, respondents said. 

In terms of future threats, over a third of respondents believe that “threats borne by non-computer devices – the Internet of Things – will be among their top concerns two years from now.”  However, only 6 percent have begun to address IoT security. 

TAKEAWAY: Most enterprises are not spending their time, budget and staffing resources on the problems their security professionals consider to be the greatest threats.

GET MORE: Read the full report here.

About the Author

Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected