The findings of a new ISACA research report on the state of cyber security are quite sobering: a huge majority of the organizations the group surveyed for its study expect to be hit with a cyber attack this year, but many of them remain unprepared to defend against such attacks.
New and evolving security threats, combined with persistent resource challenges, are limiting organizations’ abilities to defend their data against intrusions, according to the 2017 State of Cyber Security Study from ISACA, a global association that helps individuals and enterprises achieve the positive potential of technology.
ISACA surveyed more than 600 security executives worldwide in October 2016, and found that four out of five think it is likely that their organization will be attacked this year. Only 46% are confident in their organization’s cyber defense teams, the report said.
Another key finding of the study is that cyber security budgets are still growing, but at a slower rate. Exactly half of the respondents expect to see budget growth over the next year, but that is down from the 61% who a year ago said they anticipated a budget increase.
One of the biggest challenges organizations are facing when it comes to cyber security is the ongoing lack of available skills. Many companies are continuing to struggle to find qualified cyber security personnel.
Only 30% of those surveyed said they receive 10 applicants or more for an open position, of which less than half are qualified for that role. In addition, more than half of all respondents said cyber security professionals lack an ability to understand the business.
The ISACA study identified practical skill competency and certification attainment as the key attributes that hiring managers consider when making cyber security position hiring decisions. Therefore, an appropriate hiring strategy that emphasizes performance-based certifications that require practical applicant cyber security skills is key to successfully filling open positions, the report said.
Certifications, which can be earned in less time than a formal degree, have become a prevailing consideration when filling an open cyber security position, ISACA said. Although training is a critical need in addressing the skill shortages, about one quarter of organizations have training budgets of less than $1,000 per cyber security team member.
Even amidst the ongoing talent shortage, the threat environment is becoming increasingly hostile, ISACA said, with 53% of the survey respondents reporting an increase in attacks in 2016.
One of the biggest security concerns is the growing Internet of Things (IoT), which ISACA said is replacing mobile technology as a major area of risk. An overwhelming majority of organizations surveyed (97%) see a rise in IoT usage, and security concerns show no sign of lessening, the study said.
Another big challenge for security executives is the ongoing rise in ransomware attacks, and unfortunately many companies are not prepared to deal with them.
About two thirds of the organizations (62%) said they had experienced ransomware attacks in 2016. But only 53% of them said they have a formal process in place to address this security threat. That’s a concerning number considering the significant international impact of the recent WannaCry ransomware attack, ISACA said.
In addition to IoT and ransomware threats, malicious attacks that can impair an organization’s operations or user data remain a big concern. A majority of organizations (78%) reported they have experienced these kinds of attacks.
And yet despite the growing threats swirling around companies, fewer than one in three organizations (31%) said they routinely test their security controls, and 13% never test them. Sixteen percent of the organizations do not have an incident response plan.
“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” noted Christos Dimitriadis, ISACA board chair and group head of information security at gaming solutions provider Intralot. “Cyber security professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”
One positive development is that more organizations than ever (65%) now employ a CISO. That’s up from 50% in 2016.
The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign, Dimitriadis said. “But that’s not a cure-all,” he said. “With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cyber security challenges faced by all enterprises.”