As skills gaps grow and resources shrink, enterprise IT teams feel they may be on shaky ground in the evolving cyberthreat landscape.
While 80 percent of security leaders believe their organization will experience a cyberattack this year, few feel equipped to deal with the rapidly changing threat environment, according to a survey released Monday by IT governance association ISACA.
The survey, the second part of the association’s annual State of Cyber Security report, called on 633 ISACA members with primary job functions in information or cybersecurity with the goal of assessing how prepared most enterprises feel to combat cyberthreats. The findings reflect that as the cyberthreat environment is growing ever more hostile, resources and skills may not be keeping pace.
“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” Christos Dimitriadis, ISACA board chair and group head of information security at INTRALOT, said in a statement. “Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced, and prepared.”
So what’s causing this gap? The report highlights five key areas of concern:
1. Dwindling resources are proving to be a large barrier in the fight against hackers and ransomware. While more organizations than ever now employ a chief information security officer—with 65 percent reporting they have a CISO at the helm, compared to 50 percent last year—leaders are still struggling to fill open positions at lower levels, according to the first part of the report released in February.
2. Budget growth is slowing. Half of the enterprises report that they believe cybersecurity budgets will increase in the next year, compared to 61 percent from the 2016 report. “Although this is an encouraging sign and points to the fact that cybersecurity is increasingly being seen as an investment area, the rate of growth appears to have slowed,” the report finds.
3. The threat environment is more hostile than ever as enterprises begin to see more attacks alongside the slowdown in resource allocation. “Fifty-three percent of respondents reported an increase in attacks in 2016, and 80 percent believe it is either ‘likely’ or ‘very likely’ that they will be attacked in 2017,” the report finds.
4. The internet of things is the largest area of concern. IoT is replacing mobile device security at the top of the list of pain points for organizations in the coming year. Cybersecurity professionals should be sure protocols are in place to safeguard new threat entry points from IoT, ISACA suggests.
5. Ransomware is expanding, but processes to address it are not yet widespread, the report finds. In fact, 78 percent of the respondents reported that their enterprises experienced attacks in 2016 that included malicious software, and 62 percent reported a ransomware attack specifically. Despite these numbers, just 53 percent indicated that their enterprises have a formal process in place to deal with ransomware attacks.
All of which points to a need for strong leadership and resource commitments to cybersecurity, ISACA concludes.
“The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign,” said Dimitriadis. “But that’s not a cure-all. With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cybersecurity challenges faced by all enterprises.”