If you’re a cybersecurity pro who feels like a rabbit in headlights, then don’t be too depressed – you’re not alone. New research has found that while companies are very aware of business and technology risk, they’re not that good at managing it.
Infosecurity Group, in conjunction with governance and controls organization ISACA and the CMMI Institute, surveyed 4625 people in 140 countries. The research found that 67% of companies felt highly familiar with the level of risk facing their organization.
Cybersecurity is the biggest perceived risk by far, keeping 29% of respondents up at night. There are several main contributors to this risk.
Advancing technology is one of them. As new technologies emerge and become critical to business success, they make IT infrastructures more complex and increase their attack surface.
Cloud is the top culprit here. It may make business more agile, but it also creates more opportunity for cybersecurity issues, according to 70% of respondents. The IoT is the second most worrying new development, concerning 34% of respondents, while machine learning and AI worries 25% of people.
The second big risk is the threat landscape itself. The types of threats are changing, as the evolution of new technologies creates entirely new attack vectors. There are also more of them, according to the survey respondents.
This cybersecurity challenge sets up the conditions for another: shortcomings in the cybersecurity workforce. There are too few security personnel to track this fast-moving environment, respondents say, and those that do exist lack the necessary skills.
With these challenges increasing the pressure, how do companies protect themselves by identifying and mitigating these risks? The answer, unfortunately, is not very well.
For a start, companies have to find those risks. Only 38% of them have managed or optimized processes to do so.
When companies do learn about risks, their approach to mitigating them seems highly reactive. Fewer than six in 10 companies (57%) have executive teams who are highly responsive to new mitigation tactics after identifying a new risk.
The overall result is an inability to prepare for cybersecurity risk. Just 31% of companies could mitigate a risk within a month, rising to 60% within three months. That means four in 10 companies lack the ability to squash cybersecurity risks within a quarter.
We live in an industry where worms can sweep the world within two months of discovery. Remember WannaCry, the ransomware bug that spread throughout the world in 2017? Microsoft had issued a patch for that bug two months prior.
Many companies turn to a reliable backstop in their bid to protect themselves: insurance. Almost half (43%) of organizations use this as a tool to mitigate cybersecurity risk.
We must do better as an industry, especially as 53% of organizations believe that their overall risk has risen in the last 12 months. This will take a concerned rethink from senior management and a focus on process. The sooner the work begins, the sooner our customers and employees will benefit.
To learn more, register to attend Infosecurity ISACA North America, November 20-21 2019.
