BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

6 Observations About Cybersecurity Based On Two New Surveys

Following
This article is more than 8 years old.

Cybersecurity incidents and attacks have become almost daily news, and two new surveys give voice to the executives and cybersecurity professionals struggling to defend their organizations.

PwC, collaborating with CSO, the U.S. Secret Service, and the Software Engineering Institute CERT® Division at Carnegie Mellon University, surveyed more than 500 executives from U.S. businesses, law enforcement services and government agencies.  Dark Reading and Black Hat surveyed 460 security professionals, predominantly at large companies, all of them past attendees of the Black Hat USA conference.

Cybersecurity is a fast-growing business risk but it is still poorly understood

A record 79% of executives said they detected a security incident in the past 12 months , and there were 163 security incidents per organization on average, 21% more than the year before. Because many incidents go undetected, the real number is likely higher (PwC). 73% of security professionals say it is likely that they will have to respond to a significant compromise in the coming year  (Black Hat). Ransomware, a comparatively new type of cybercrime where organizations are forced to pay for the removal of malware affecting their systems, was cited as current threat by 13% of executives. In response to the increased sophistication and number of threats and incidents, 45% of executives said they increased information security spending over the year before and 20% of large businesses said they raised security investments by 20% or more in 2014 (PwC). Still, 69% of large organizations (1,000+ employees) could not estimate the financial impact after detecting a security incident (PwC) and the response to current and future threats is underfunded: Only 34% of security professionals said their organization has enough budget to defend itself against current threats and only 3% percent say threats from the Internet of Things (IoT) is a budget priority, although 36% said it will be among their top concerns two years from now (Black Hat).

The common response is to throw technology at the problem, neglecting required investment in people and processes

What are the spending priorities for the increased cybersecurity budgets? 47% said adding new technologies is a spending priority, higher than all other initiatives. Only 33% prioritized adding new skills and capabilities and 15% cited redesigning processes as a priority (PwC). But people and processes could be more important than new technologies as security professionals are failing to tune cybersecurity spending to meet their most current concerns. Most enterprises are not spending their time, budget, and staffing resource on the problems that most security-savvy professionals consider the greatest threats. For example, 57% of security professionals cited targeted attacks as their greatest concern but only 26% indicated that targeted attacks were among the top three IT security spending priorities in their organization, and only 20% said that targeted attacks were among the top three tasks where they spend the most time.  The most time-consuming tasks are addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%), tasks that are not considered the greatest threats. 20% of security professionals cited “a lack of security architecture and planning that goes beyond firefighting” as their weakest link. (Black Hat)

The people component of cybersecurity is critical—and often neglected

“Companies that implement new technologies without updating processes and providing employee training will likely not realize the full value of their spending,” says the PwC report. Only 50% of executives said they conduct periodic security awareness and training programs, and only 50% offer security training for new employees (PwC). Yet, social engineering attacks targeted at employees were top concern for 46% of security professionals and 33% said that “end users who violate security policy and are easily fooled by social engineering attacks” are the weakest links in the IT security chain of defense (Black Hat). Only 26% of executives thought they have the expertise and capable personnel on staff (PwC) and only 27% of security professionals said they feel their organization has enough staff to defend itself against current threats (Black Hat).

Cyber threats and vulnerabilities lurk inside and outside the organization

Executives pointed to hackers (25%), current employees (12%), organized crime (10%), foreign nation-states (8%), and activists/hacktivists (6%) as main sources of cyber threats. The 23% who responded with “don’t know” may reflect how difficult it is to pinpoint the real source of an attack (PwC). Security professionals identified as the greatest threats sophisticated attacks targeted directly at the organization (57%), phishing, social network exploits or other forms of social engineering (46%), accidental data leaks by end users who fail to follow security policy (21%), polymorphic malware that evades signature-based defenses (20%), espionage or surveillance by foreign governments or competitors (20%), and security vulnerabilities introduced by the organization’s application development team (20%) (Black Hat).

Cybersecurity leaders understand cybersecurity’s importance to overall health and strategy of the business

Characteristics of cybersecurity leaders include: Their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes quarterly security presentations to the board (30%); their full board is involved in cyber risks (25%); they evaluate the security risks of third-party partners (62%) and of contractors (57%); they are involved in industry-specific Information Sharing and Analysis Centers (ISACs) (25%) (PwC); their security professionals have the skills they need to do their job (36%), they get adequate support from their non-IT counterparts (30%), and they are happy in their jobs and it would take a lot to get them to change positions (24%) (Black Hat).

Cybersecurity laggards do not see cybersecurity as an overarching corporate risk issue

Characteristics of cybersecurity laggards include: they are “severely hampered” in their defenses by a lack of funding (21%) (Black Hat); they are not at all worried about any kind of supply chain risk (19%); they do not evaluate third-party security at all (23%); their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes no presentations to the board (28%); their board is not engaged in cyber risks (30%) and view cybersecurity as an IT risk (49%) or through the lens of corporate governance (42%) (PwC); their security professionals are looking for a new position (20%) and describe their security departments as being “completely underwater” (22%) (Black Hat).

Sources:

US Cybersecurity: Progress Stalled, key findings from the 2015 US State of Cybercrime Survey

2015: Time to Rethink Enterprise IT Security, 2015 Black Hat attendee survey

Follow me on Twitter or LinkedInCheck out my website