There is a saying in security that the bad guys are always one step ahead of defense. Two new sets of research reveal that the constant cat-and-mouse game is wearing on security professionals, and many feel they are losing in the war against cybercriminals.
The first figures are from the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). The two polled cybersecurity professionals and found 94 percent of respondents believe that cyber adversaries have a big advantage over cyber defenders—and the balance of power is with the enemy. Most think that advantage will eventually pay off for criminals, as 91 percent believe that most organizations are extremely vulnerable, or somewhat vulnerable, to a significant cyberattack or data breach.
This mirrors Malwarebytes' own recent research, in which 75 percent of surveyed security professionals admitted that they believe they could be breached in the next one to three years.
What’s behind this defeatist mindset?
In a blog post on the ESG/ISSA research, Jon Oltsik, principal analyst at ESG says in part the lack of confidence exists because criminals are well organized, persistent, and have the time to fail and try a new strategy in order to infiltrate a network. Meanwhile, security managers are always busy and always trying to play catch up.
The skills shortage that is impacting the security field is compounding the sense of vulnerability among organizations. ESG found 53 percent of organizations report a problematic shortage of cybersecurity skills, and 63 percent of organizations continue to fall behind in providing an adequate level of training for their cybersecurity professionals.
“Organizations are looking at the cybersecurity skills crisis in the wrong way: It is a business, not a technical, issue,” said ISSA International President Candy Alexander in response to findings. “In an environment of a ‘seller’s market’ with 77 percent of cybersecurity professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function.”
Where do we go from here?
An entirely new perspective on addressing risk mitigation is required to turn this mindset around. As Alexander notes, security is a business issue, and it needs attention at all levels of the organization.
But the research shows it doesn’t get the respect it deserves, as 23 percent of respondents said business managers don’t understand and/or support an appropriate level of cybersecurity. Business leaders need to send a clear message that cybersecurity is a top priority and invest in security tools and initiatives in turn to reflect this commitment.
This approach is well-supported by research. In fact, a recent report from Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC) finds top-performing security programs have one thing in common: They have the attention of executive and board leadership, which also means security is seen as a priority throughout the organization.
ESG/ISSA makes other recommendations for changing the thinking about security. They include:
CISO elevation: CISOs and other security executives also need an increased level of respect and should be expected to engage with executive management. Regular audience with the board is critical to getting security the visibility it requires organization-wide.
Practical professional development for security pros: While 93 percent of survey respondents agree that cybersecurity professionals must keep up with their skills, 66 percent claim that cybersecurity job demands often prevent them from taking part in skills development. Other noted certifications do not hold as much value on the job, with 57 percent noting many credentials are far more useful in getting a job than doing a job. The report suggests prioritizing practical skills development over certifications.
Develop security talent from within: Because the skills gap makes hiring talent more challenging, 41 percent of survey respondents said that their organization has had to recruit and train junior personnel rather than hire more experienced infosec professionals. But this is a creative way to deal with a dearth of qualified talent.
The report recommends designing an internal training program that will foster future talent and loyalty. It also suggests casting a wider net beyond IT and finding transferable business skills and cross career transitions will help expand the pool of talent.
While the overall picture appears as though security progress is slow in business, adjustments in approach and prioritization of security can go a long way in raising the program’s profile throughout the organization. With more time, attention, and respect given to security strategy and risk mitigation, defense in the future can be a step ahead instead of woefully behind the cybercriminal.