For the record, it should be acknowledged from the start that there is no question that the cybersecurity landscape has improved over time, mostly courtesy of persistent increases in cyber spending year after year. Gartner estimates that the U.S. and the rest of the world will invest $172 billion in cybersecurity this year, up from $150 billion last year, and continue to rise steadily thereafter.
These investments have produced, among other things, security analytics, which is a proactive approach to cybersecurity that uses data collection, aggregation, and analysis capabilities to better detect and mitigate cyber threats. There is also the growing effectiveness of artificial intelligence and machine learning, and now, zero trust architecture is gaining interest in many organizations. It’s harder than ever for attackers to bust into large organizations.
Nonetheless, the incidence and scope of cyber breaches continue to grow most years, and cyber experts agree that an enormous number of sizable organizations have already been compromised, and likely will be again at some point. Why? A common refrain is that malicious actors keep improving and evolving, and while corporations work hard to keep up, it takes only one slip-up to open the door to cybercriminals.
Yet, there is another major reason as well – and one that gets far less attention.
Many organizations still have significant security shortcomings. These include mediocre cyber training, sub-par incident response plans, and the tendency to buy so many security tools that they often wind up undercutting each other. In addition, constantly growing cyber job openings, now numbering 715,000 in the U.S. alone, clearly aren’t being addressed sufficiently, according to a report by market research firm, Lightcast.
Are there solutions to these shortcomings? Yes, but they will require some attention. Here are some observations that could close these gaps:
Cybersecurity job hiring needs improvement
Compounding the shortage of cyber workers, companies often make mistakes in hiring, leading to difficulties recruiting. All the unfilled vacancies don’t simply make it harder for businesses to keep networks secure. They also negatively impact existing cybersecurity teams, expected to do everything necessary to maintain network security with only a fraction of the required personnel. This leads to burnout and drives more people to exit the industry altogether.
A big part of the problem is that employees who hire cannot bend rigid rules. Like most professions, advertisements for cybersecurity jobs come with requirements, including experience and qualifications. As articles in ZDNet, Protocol, and elsewhere point out, it’s not uncommon for human resource departments to be too stringent given the scarcity of cybersecurity professionals. A number of these candidates are proficient – even without formal qualifications – and yet, many get passed over for job openings.
An example of this is that many cybersecurity certifying authorities require up to five years of provable, full-time experience. These certifications are needed for many higher-level security roles. Even job candidates with degrees in cybersecurity and computer science are often turned down because they lack a particular certification.
Mediocre cyber training
Employees typically receive a day or two of security awareness training when they are hired, and thereafter some sort of brush-up once a year. This isn’t enough. Many employees forget some of what they learn after a few months. Regardless, all employees need additional help with cybersecurity because it changes constantly. The Advanced Computing Systems Association recommends that companies host cybersecurity trainings every four to six months, preferably using interactive examples and videos.
It’s important to note that the knowledge and sophistication of employees trained varies widely, often undermining effectiveness. Some studies have shown that even employee dispositions can determine the odds of an individual becoming compromised. One study found that respondents who identified themselves as “Type A” personalities didn't believe they were at increased risk of reusing passwords, a risky endeavor. They thought their own proactive efforts were sufficient.
Too many employees remain insufficiently informed about cybersecurity, in part because many executives and managers put a higher priority on other things, such as amassing new technology to drive productivity gains.
Sub-Par Incidence Response Plans
Incident Response Plans are designed to expedite the response to an organizational breach as expeditiously as possible to mitigate reputational damage, customer distrust, regulatory and legal fees, and cleanup costs. Organizations need to be resilient. Underscoring that most companies focus overwhelmingly on cyber prevention, not remediation, a study by IBM Security and Ponemon Institute found that 74 percent of security and IT pros surveyed in 11 global markets didn’t feel it was necessary to adopt IRPs consistently across their organizations – or at all.
So what do businesses do when serious cybersecurity issues arrive? They rely mostly on their security department for help. To mitigate a breach as much as possible, far more employees must also be seriously committed to staying abreast of cyber threats. They need to adopt select mindsets and behaviors.
Too many security tools
Building an ample supply of security tools sounds like a good idea, but mostly is not. A study by Ponemon Institute found that organizations average more than 45 such tools. Those using more than 50 were ranked 8 percent lower in their ability to detect an attack, and 7 percent lower in terms of responding to an attack. The problem: All these tools frequently conflict and undermine each other.
If the solutions are not fully integrated, which is typical, a holistic view is difficult to grasp as a cyber employee jumps from one computer console to another. In addition, more security tools mean more alerts – often false – to manage. Complexity, in short, is a hidden cost.
Chief Information Security Officers (CISOs) believe even bigger cybersecurity investments are necessary
CISOs play a crucial role in advocating for cybersecurity investments, and more than half of them believe their boards still don’t provide ample investments to mitigate cybersecurity risks, according to a survey by Censuswide, a London-based international market research consultancy. CISOs say some boards only discuss cybersecurity amid a breach.
In this case, CISOs themselves are part of the problem. Many need to learn to be savvier in communication with the board of directors. They should avoid speaking in jargon, bearing in mind that the board is rarely composed of cyber experts. Equally important, they should avoid using fear, uncertainty and doubt to drive home a point. They should consistently make it clear that the health of the company is the highest priority of all.
Corporate leaders need to be attentive to key basics in their infrastructure, such as making sure the organization has a secure network with secure users, and double-checking that hardware and software are updated consistently. This way, security vulnerabilities are discovered sooner, rather than later.
Most important of all, leaders must build a culture around their security infrastructure. It’s important that they understand how their executives are currently approaching cybersecurity and what changes might be needed. They should prioritize making things better and consider what else might be needed down the line. These steps help deliver growth through digital trust and builds both employee pride and an organization’s reputation with customers.
Bob has been recognized as a Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.” Previously, as an entrepreneur, Bob was the president and CEO of UniSoft Systems, a leading UNIX systems house, and founder and chairman of InfoGear Technology Corp, a pioneer in the original integration of web and telephony technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.