Cyber threat awareness and spending are up, but organizations feel less confident than ever of their ability to handle them. This is one of the conclusions of the State of Cybersecurity: Implications for 2016. The study, conducted by RSA Conference and ISACA and presented at the recent RSA Conference in San Francisco, reveals some startling and some not so unexpected trends.
Attacks are getting more frequent and sophisticated – no surprise there. Some experience attacks on a daily basis and nearly 75% of the survey participants – all cyber or information security specialists – expect their organization “to fall prey to a cyberattack in 2016.”
The good news is that companies are increasingly aware of the dangers and are motivated to address them. According to the study, “82 percent of respondents report that their enterprise board of directors is concerned or very concerned about cybersecurity” and “61 percent expect their cybersecurity budget to increase in 2016.”
However, despite these steps, 60 percent “do not believe their information security staff can handle anything more than simple cybersecurity incidents.” ISACA attributes a large part of this unpreparedness to the continuing shortage of qualified, skilled security talent. Organizations are taking longer to fill positions and new hires require more extensive training.
Another contributing factor somewhat buried in the data is the effect of institutional reporting structures. “Just 21 percent of chief information security officers (CISOs) report to the chief executive officer (CEO) or the board, while most (63 percent) report through the chief information officer (CIO)” Why does this matter? As the study points out, this reporting structure can be problematic as it “positions security as a technical issue rather than a business concern.”
Moreover, as Gartner cybersecurity analyst Avivah Litan explains in the Wall Street Journal, cybersecurity measures can conflict with the CIO’s focus on costs and revenue. According to Litan, "The security function needs to be elevated to CEO level to give the organization the check and balance, and integrity, it needs."
These trends are troubling but, again, not shocking given the field’s rapid growth and relative infancy. The biggest surprise for the report producers was the “global lack of cyber situational awareness”, especially as respondents’ primary role is cyber or information security. The study found that almost a quarter didn’t know if any user credentials had been stolen in 2015, nearly another quarter didn’t know which threat actors exploited their organizations and 23 percent weren’t sure if their company experienced an advanced persistent threat (APT).
The report concludes that this indicates the need for better monitoring, improved ability in interpreting logs and employee skills enhancement. Another takeaway could be an increasing need for security solutions that are not dependent on constant human intervention. While skilled professionals will always play a key role, deterministic, rather than heuristic, security models can offset the people and skills gap.
To read the full report, see http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for-2016.aspx. You can also watch a webinar, analyzing ISACA’s research and results, presented by Ron Hale, PhD and ISACA Chief Knowledge Officer.