Bonus Trends: Consultant Perceptions, Increasing Threats, and Wish Lists
The report describing the findings from the latest ASIS International security trends research, which was sponsored by Resolver, focused on two things: how the perception and role of security within organizations is changing and security’s use and approach to artificial intelligence (AI).
However, the survey was wide ranging, and not all the findings made it into the final report. This article presents results from three areas the survey covered that the research final report did not cover:
- How security consultants differed from security professionals in their perceptions of security’s role in organizations
- What threats are of increasing concern
- What security professionals would do if they were suddenly gifted with a 10 percent increase in their budget
The Consultant Survey
Survey takers who said they were security consultants or security industry solution providers were given the option to take a separate survey of related questions: 114 participated in the alternate survey.
A major finding in the research is that security professionals see security as having an increasingly strategic role in their organizations. The consultants had a somewhat less rosy outlook. Just about half (49 percent) of security professionals said top executives in their organizations viewed security as either mostly or primarily a business enabler in the organization, and 25 percent said executives view security as a cost center.
Security consultants said they see something different. Less than a third (32 percent) said top executives in organizations see security as a key business enabler. Worse, 47 percent said executives see security as mostly or primarily a cost center.
It’s one thing for top executives to have a decidedly non-strategic view of security, but as far as consultants are concerned, the security professionals they work with are only a little bit better. Only 39 percent of consultants said all or most of the security leaders they work with understand the need to position security as a business enabler rather than a cost center. Forty-three percent of consultants were more equivocal, saying some security leaders understand the need and some do not, but—ouch—18 percent said very few or none of the security leaders they work with understood the need for security to position itself as a strategic asset in the business.
There is a small silver lining to the gloomy consultant cloud. The survey asked how these areas had changed over the past two years. Much like the security professional survey, the data indicate a shift toward the business enabler side. In the case of the organization’s top leaders, 55 percent said there was either a slight or strong shift toward seeing security as a business enabler, 37 percent there was no change, leaving just 8 percent who said they had seen a shift toward executives seeing security as a cost center.
Similarly, 61 percent said security leaders had shifted toward understanding the need to position security as a business enabler. Seven percent said security leaders had shifted the other direction with the rest saying there was not significant change.
Level of Concern About Threats
Compared to two years ago, the survey asked participants if they were more or less concerned about 12 different threats. It’s not surprising when asking a question like this that the concern level has increased for each of the 12 threats. It’s comparing the amount of concern of different threat types that yields interesting information. In this case, security professionals were given a five-point scale:
- 1—Much less concerned
- 2—Less concerned
- 3—About the same
- 4—More concerned
- 5—Much more concerned
Looking at the weighted average, three groupings of the 12 threat types emerged:
|
Threats with Highest Level of Growing Concern |
Weighted Average |
|
Cyberattack (unrelated to social engineering) |
3.96 |
|
Social engineering schemes |
3.84 |
|
How bad actors will adopt and use AI |
3.77 |
|
Threats with a Medium Level of Growing Concern |
Weighted Average |
|
Civil unrest or terrorism |
3.56 |
|
Insider theft or destruction of assets |
3.47 |
|
Supply chain disruption |
3.46 |
|
Outsider theft or destruction of assets |
3.44 |
|
Significant workplace violence incident |
3.42 |
|
Travel or executive protection incident |
3.40 |
|
Threats with a Relative Lower Level of Growing Concern |
Weighted Average |
|
Weather or climate emergency |
3.34 |
|
Public health crisis |
3.32 |
|
Labor unrest |
3.02 |
The survey also gave security professionals a five-point scale to rate their readiness level for the security threats their organizations faced. The distribution resembled a bell curve, with a weighted average of 3.04. With a rating of three, 48 percent said they thought they were keeping pace the evolution and innovation of threats and bad actors. On the more prepared side, 12 percent rated their organization a five, saying their security readiness was increasing faster than the evolution and innovation of threats and bad actors; 15 percent rated their organization a four. On the other side, 10 percent gave their organization a one, signifying that threats and bad actors were evolving and innovating much faster than their security teams were able to keep up with; the other 15 percent gave their organization a rating of two.
What to Do with a Surprise 10 Percent Budget Increase
Not sure any security leader at any company anywhere has even been told they had an extra 10 percent to spend, so they should figure out how to spend it. But the survey asked this fanciful, open-ended question to see if it yielded any interesting results.
Overall, 454 completed the question with a meaningful answer—when someone wrote in “security,” for example, this answer was omitted as not meaningful (a total of 13 answers were omitted in this way). Of the meaningful answers, themes emerged: 64 percent listed something to do with security technology, and 39 percent listed something to do with personnel (a total of 15 percent of the answers were classified as both technology and personnel).
Some notes about the classifications: words like automation, cybersecurity, infrastructure, and upgrade triggered classification as a technology-based answer unless there was an obvious reason for not including it (for example, “increase cybersecurity training” would fall under personnel because it is training-based). Several answers listed or mentioned “safety;” these were classified as personnel unless there was a reason for a different classification. Finally, the subclassifications had to be explicitly mentioned. For example, if the answer was a short “invest in personnel,” it was classified as only “personnel.” However, if the short answer was “invest in new personnel,” it was classified as both “personnel” and “adding security personnel.”
The security professionals who got more specific in the technology primarily listed adding or improving surveillance capability, access control capability, or adding artificial intelligence. The personnel category included answers that were specifically for security personnel (most of them) as well as people who would spend the increase on training or safety related to all staff. Additional training dominated the personnel category, followed by adding security personnel and increasing the pay of security personnel.
Here's what the classification breakdown looks like:
|
Classification |
Percent |
|
Technology |
64% |
|
Surveillance |
13% |
|
Access control |
8% |
|
AI |
7% |
|
Personnel |
39% |
|
Training |
23% |
|
Additional personnel |
8% |
|
Increased pay |
5% |
And, of course, there were some people who really thought that 10 percent increase would go a long way, like the security professional who said:
“If I were in charge of allocating a 10 percent increase in a security budget, I would prioritize the following areas:
- Cybersecurity enhancements: Strengthening defenses against cyber threats by investing in advanced threat detection systems, regular security audits, and employee training programs to recognize and prevent phishing attacks.
- Physical security upgrades: Improving physical security measures such as surveillance cameras, access control systems, and security personnel training to ensure a safe environment.
- Emergency preparedness: Enhancing emergency response plans and conducting regular drills to ensure readiness for various scenarios, including natural disasters, fire, and security breaches.
- Data protection: Implementing robust data encryption and backup solutions to protect sensitive information from unauthorized access and potential data loss.
- Security awareness programs: Educating employees and stakeholders about security best practices and the importance of maintaining a secure environment.”
For those keeping score, this answer was classified as falling in the following categories: technology, surveillance, access control, personnel, training, and other.
The full report on the research findings, Understanding the Evolving Role of Security: 2025 Security Trends, sponsored by Resolver, is available on the ASIS website.
Scott Briscoe is the content development director at ASIS International. He led the security trends research project.
