Organizations are concerned about cybersecurity, but their tech teams aren’t necessarily prepared to fend off an attack, according to a new study from information systems association ISACA.

The percentage of security professionals who are confident in their team’s ability to prevent and fight cyberattacks has dropped from 87 percent to 75 percent over the last year, the study found. Moreover, 42 percent of those who are confident in their teams report they feel their team could handle only minor incidents.

“It’s not new news that trained professionals are really required in order to meet the challenges being created by the increasing threat landscape,” ISACA CEO Matt Loeb said. “I think what is alarming is that the skills gap is getting worse, which means that more action is needed in order to train the workforce to deal with these challenges.”

The issue of a cyberattack is not just what is my IT group doing. The issue of a cyberattack affects business operations, it affects the economic condition of a business, it affects a company‘s reputation and its brand.

Loeb said the lack of training opportunities, time invested, and ability to apply knowledge has resulted in this widened cybersecurity skills gap. The best way to rectify this problem and make professionals comfortable with their team’s competency is by providing skills-based training that would include practice in the face of real-time attacks.

But organizations are nervous—in fact, 82 percent of boards are concerned about cybersecurity, based on the survey responses of 461 security professionals. However, that concern isn’t always translating to viewing cybersecurity as a threat to the entirety of an organization, as only one-in-seven chief information security officers report directly to the CEO.

“It raises the question whether there is true recognition within organizations as to whether this is still viewed as a technical issue or a business issue. I submit to you, it’s a business issue,” Loeb said. “The issue of a cyberattack is not just what is my IT group doing. The issue of a cyberattack affects business operations, it affects the economic condition of a business, it affects a company‘s reputation and its brand.”

He added though that while there is still improvement needed, the boards’ concern has initiated a necessary shift in the way leadership views cybersecurity. This is evident in another ISACA finding that there could be as many as 2 million open positions related to cybersecurity by 2019.

“The landscape is changing,” Loeb said. “Senior management and leadership is recognizing that this is a growing business concern, but I think that there’s still a ways to go before these issues are getting the level of recognition and attention they deserve when you cut across the entire market landscape.”

The main challenge again is finding properly trained people to fill these spots. He noted that no organization will be completely ready for a cyberattack, but they can best prepare by acquiring and training a strong technical workforce, increasing leadership recognition of the security threat, and raising awareness among all employees of the realities of cyberattacks.

(iStock/Thinkstock)