New research from ESG and ISSA reveals that a lack of training, inadequate cybersecurity staffing, and business apathy contribute to security events.
ESG recently published a new research report titled, The Life and Times of Cybersecurity Professionals, with its research partner, the Information Systems Security Association (ISSA).
The research looks closely at the ramifications of the cybersecurity skills shortage — beyond the obvious conclusion that there are more cybersecurity jobs than people with the right skills and background to fill these jobs.
As part of this research project, ESG and ISSA wanted to understand whether the cybersecurity skills shortage is a contributing factor to the constant wave of security events experienced by large and small organizations.
To that end, 343 cybersecurity professionals (and mostly ISSA members) were asked if their organizations had experienced a security incident over the past two years (i.e. system compromise, malware incident, DDoS attack, targeted attack, data breach, etc.). More than half (53 percent) admitted that their organization had experienced at least one security incident since 2015. It is also noteworthy that 34 percent responded with “don’t know/prefer not to say,” so the percentage of organizations experiencing a security incident is likely much higher.
4 factors contributing to cybersecurity incidents
Those survey respondents confessing to a security incident were then asked to identify the factors that contributed to these events. The data reveals that:
- 31 percent say a lack of training for non-technical employees. This indicates that employees are probably opening rogue attachments, clicking on malicious links, and falling for social engineering scams, leading to system compromises and data breaches. Clearly, firms are not dedicating the people or financial resources necessary to provide ample cybersecurity training and are suffering the consequences.
- 22 percent say the cybersecurity team is not large enough for the size of their organization. Boom, direct hit. In an earlier blog post, I revealed some data about the implications of the cybersecurity skills shortage, including an increasing workload on staffers and a myopic focus on emergency response at the expense of planning and strategy. The data also exposes that the skills shortage leads directly to more security incidents, which lead to business disruption, negative publicity and data breaches.
- 20 percent say business and executive management tend to treat cybersecurity as a low priority. The lack of suitable business oversight on cybersecurity was a consistent theme throughout the ESG/ISSA research. It remains true that business executives are overlooking their fiduciary (and moral) cybersecurity responsibilities. Based upon this data, we can anticipate some massive GDPR fines in the second half of 2018.
- 18 percent say the existing cybersecurity team can’t keep up with the workload. Another direct hit — the workload is too big, and the staff is too small.
Breach detection, proactive threat hunting, and incident response tend to be people-intensive processes dependent upon advanced skills, so it’s logical to assume the cybersecurity skills shortage would have a profound impact here. The ESG/ISSA research proves there is a strong correlation here, so it’s safe to say that organizations with lots of open cybersecurity requisitions can expect a lot of malicious activity on the network.
How to handle cybersecurity requirements when short-staffed
Can anything be done? Yes. CISOs should assume they’ll be short-staffed and therefore address cybersecurity requirements by doing these things:
- Proceed toward advanced prevention. CISOs should go the extra mile to decrease the attack surface by using technologies such as micro-segmentation, identity-based access controls (i.e. zero-trust networking), threat intelligence gateways, and secure DNS services.
- Automate processes. Cybersecurity pros should assess current processes and look for ways to automate things such as data collection, event lifecycle management, and process workflow.
- Add intelligent solutions. All organizations should be investigating, evaluating, and deploying security solutions based upon artificial intelligence (AI). While this technology is in its genesis, it can be applied to accelerate threat detection and ease the burden on the SOC team.
- Get help. CISOs must honestly assess whether they have the staff level and skills to keep up with requirements. Those who find themselves lacking should throw in the towel and find managed service and SaaS providers that can bridge this gap.
Note that the ESG/ISSA report is available for free download here.