Cybersecurity is a constantly evolving and maturing discipline.
The problem is that the rates at which effective cybersecurity practitioners and investments are growing are not keeping pace with the growth in cybercrime, cyber-threats and all the risks that go with them.
Here are two questions to reflect upon:
- How many data breach apologies did you read in the past 12 months?
- How many of them do you believe were not preventable by the organization impacted?
Take any mega breach where the causes are revealed, and I have yet to find a single one where a skilled infosec practitioner cannot point out how the breach occurred due to three or more major or critical security controls that were either absent or not working effectively.
As mentioned in an earlier article of mine for Infosecurity Magazine, the combined losses from cybercrime and tech outages ran to $1.5tn in 2018; meanwhile the expenditure on global cybersecurity languished at just 10% of that figure; $150bn.
So it was with some interest that I read through the recent ISACA State of Cybersecurity 2019 survey. How would the overall failure of most organizations to invest adequate resources into tackling cybersecurity effectively be reflected in the results?
The ISACA survey included over 1500 information security respondents from around the world, among whom 58% report that they have open (unfilled) cybersecurity positions in their organizations, just 1% lower than the 59% reported in the previous year. That total – 59% – also is the number of respondents who found that less than half of applicants who applied for any unfilled infosec vacancy appeared to have the right qualifications to do so. Meanwhile, 29% reported that less than one in four candidates were suitably qualified.
Generally, 69% of respondents believe their cybersecurity department is understaffed, with technical cybersecurity roles found to be the hardest to fill, as three in five respondents (62%) with open positions reported that most or all of their unfilled positions were for technical cybersecurity professionals. The most significant cyber-skills gap in cyber-professionals was perceived to be the ability to understand the business.
However, what I was really digging through the report for was to find out about the budgets. After all, with all the ongoing publicity about cybersecurity and data breaches – and with such a startling disparity between the rate of growth of cyber-threats and cybercrime – I would not be staying on at any organization without a healthy double-digit increase in its cybersecurity budget.
So, how many cybersecurity departments are expecting a significant increase in their budgets this year? Just 8%. A further 47% reported that they will get some increase – but that left an eye-watering 46% of organizations facing either no increase at all or a security budget reduction.
This is all great news…if you work in cybercrime…but it is not great news if you are a hard-working infosec professional trying to put the right measures in place to protect your organization. Not only is your management unlikely to be allocated enough budget for cybersecurity and infosec resources, but even the resources you are allocated may not appear, or have the right skills if they do appear.
Overall, what this State of Cybersecurity research has shown is that even though there are some slight improvements in some areas, most organizations have yet to understand how to sufficiently invest in and acquire the cybersecurity resources that they need to appropriately protect their assets.
So, the next time you read a data breach apology from a major organization, why not take a moment to wonder just how little they might be spending on cybersecurity – and how overworked and underappreciated the infosec professionals who are trying to hold things together might be.