There is certainly more awareness about the importance of cybersecurity now than ever before, but are things in cybersecurity better or worse than they were 12 months ago?
In the past year, we have seen mega-malware such as Wannacry and NotPetya temporarily wipe out some enterprises and services. We have seen new records set by DDoS attacks, with the largest event hitting a giddy 1.7 Tbps – and we have also seen that simply handling the capture and sharing of digital personal information about your subscribers in ways they do not like (even if they originally consented to it) can wipe a sizable percentage from the value of a company.
The nature of attacks is changing, too. Twelve months ago, cryptojacking (the hijacking of computer resources to perform paid cryptocurrency mining work) had rarely been heard of and fileless malware (malicious software that can persist and operate in the memory of computer devices) was a rare exploit type.
According to VirusTotal statistics, there were an average of more than one million potential new threat files submitted to them each day in March 2018. On some days, that figure came close to two million.
The speed and pace of the threat landscape evolution is overwhelming. To keep pace, cybersecurity teams are having to continually evolve and adapt to the new threat types, often needing to invest in new security technologies and adjust their defensive processes. They also have to invest in continual training, research and threat intelligence.
ISACA’s 2018 State of Cybersecurity research provides insights on these topics. Here are some of the selected results that raised my eyebrows:
Are boards and CEOs taking security more or less seriously than a year ago?
It seems that over the past 12 months, security has slipped down the boardroom agenda. According to the survey results, only 20% of organizations have their security function reporting to the CEO or main board. This represents an even lower figure than the 24% from last year (although the question in the previous year was phrased slightly differently).
Also, 57% of the practitioners surveyed believed that their main board was adequately supporting security initiatives, a 10% decrease from the 67% figure from the previous year.
On the bright side, 64% of enterprises were expecting to increase their cybersecurity budget this year, which also means that in 36% of enterprises, the expectation is to make do with the same or less money on their security efforts. That is an improvement over last year (where only 50% of respondents expected a security budget increase) but still shows a degree of complacency or risk-optimism in a sizable number of organizations.
Are enterprises keeping pace with emerging threats?
A good indicator of whether an organization is keeping pace is to understand how they are doing with their recruitment of skilled cyber professionals. In this area, 59% of organizations reported they had one or more unfilled vacancy within their teams.
There also was an 11% increase in the number of organizations reporting that the lead time to fill open security positions was now three months or longer (73% reported a recruitment lead time of three months or longer, up from 62% in the survey from the previous year).
Respondents to the survey also reported that over 50% of the candidates that applied were not qualified for the roles they were applying for.
According to the survey, the most frequent and difficult skills shortage area was acquiring people with appropriate operational technical cyber skills. More than 3 in 4 (77%) respondents thought they had needs for more technical staff, whereas only 21% thought they needed more executives and only 46% thought they needed more non-technical staff.
Have the opportunities for cyber-criminals increased or decreased in the past 12 months?
From the survey results, it looks like an overall win for the cyber-criminal. The chances are very good that many organizations have yet to acquire the budget, skills and controls required to match the increase in cyber threat and risk levels from the past 12 months.
Most organizations are still reporting challenges in filling their security team roles. If an enterprise does get hit, in about 80% of cases, the board or CEO will have to face questions about why the security function was not even reporting into the main board.
What can be done about this?
It’s time for every enterprise to think with far more care about their security function. Cybersecurity is a tough business. It requires people willing to continually learn and adapt their skills as the threats evolve. If your enterprise is not making the right investments in the training, recruitment and tooling for your critical security staff, the impact may be far greater than you ever thought.