Tripwire recently conducted a series of surveys and interviews to understand IT professionals who manage security for their company. The cybersecurity landscape is constantly changing, new challenges are rapidly emerging, and new threats have surfaced, especially throughout the pandemic. We were curious to know some of the struggles that security professionals experience as a part of their job. We were especially interested in small to mid-size companies, entities which often don’t have the necessary budgets or resources to tackle cybersecurity threats.
Through our inquiries, we gained deeper insights about security budgets in different companies as well as insights into what security professionals are like as people, what concerns them, and what security initiatives they hope to achieve for their company. Here are some of our findings.
When It Comes to Security, Recommendations Are Key
When it comes to decisions about which security products to research, security professionals rely on product reviews offered by recognized blogs and articles. However, recommendations, whether from friends, colleagues, or known experts in the field, are also considered valuable. We also asked about the use of social media platforms for professional advancement such as reading articles, watching product demonstrations, and keeping up with industry news.
LinkedIn was the most used and trusted social media platform, while many respondents mentioned Gartner as the first step in researching what security solutions they should be thinking about.
“Sometimes I just go to LinkedIn. My friends might be using another security company and then I will check it out. Aside from LinkedIn, checking on Gartner is the easiest way to go. Gartner reviews what is the best event management, what next best firewall is, etc. Gartner gives a very extensive reviews of these types of products. And friends’ recommendations when I meet them.” Security analyst in a mid-size company
In some companies, security is seen as an afterthought, and this is often reflected in poor security budgets as well as placing the responsibility on other IT professionals.
Through our research, we learned that in some companies and smaller companies especially, security is not taken seriously enough. There may not even be a dedicated security role. Instead, this job is passed to IT professionals (IT support, network or cloud engineers, IT managers) who juggle lots of responsibilities, which is often hard.
“This is may be my third career down the line, and a lot of companies I joined are desperately looking for cybersecurity, but there is a lack of talent. This is good for people who are in cybersecurity but also very bad because the rest of us have a lot of shoes to fill and nobody wants to fill them.” System administrator in a mid-size company
“We do not have dedicated people managing IT security; this is often demanded of me or another two colleagues. We usually treat security as a side effect.” Cloud engineer in a mid-size company
“Too many moving parts and not enough people to cover them. Being a small company, I have to wear many hats.” Database analyst in a mid-size company
We also heard that these increased responsibilities could easily lead to burnout.
“It [security landscape] changes all the time, so you really have to keep on top of things, but along with that comes a lot of stress. And I feel like I had to work very hard to be able to manage that stress, especially with it all being on my shoulders. I think that’s a big issue. A lot of security people that I know have burned out relatively quickly. I think that’s a big issue that needs to be talked about more often.” IT director in a small company, who acts like a CISO
In the absence of adequate funding for security personnel, some companies are trying to show they have a good security posture by promoting non-security staff to more senior security roles. However, this comes with a lot of responsibility and pressure. One participant shared that the company offered him the role of CISO, but he refused, feeling uncomfortable with assuming such an important role while not having the relevant experience.
Participant: “They [the company] offered me a title of a CISO, but I refused as I do not feel comfortable being a CISO. I feel like CISOs have at least seven years of prior experience and multiple certifications. And they have worked on multiple projects with different teams, and I don’t have that experience.”
Interviewer: “What I heard you say is that another person on your team was offered a role of CISO because you didn't feel comfortable taking that role, as it comes with a lot of responsibility. The company doesn't have the budget to hire a qualified person for this role. And what I read between the lines is that your company is trying to pretend they have a good security posture.”
Participant: “You really hit the nail on the head, and I’m not the only one that feels like this. I feel a lot of companies do this. It's a very sad world, but that's the truth of a lot of organizations I see.”
When it comes to security budgets, the majority of security professionals surveyed reported the budget was adequate (61.1%); however, smaller companies were more likely to say their security budget was lacking.
“Management is currently focused on providing resources towards business development and not so much cybersecurity as they don't think a large attack will surface.” Security manager in a mid-size company
“Security continues to be an afterthought, unfortunately. It's almost just expected, and yet no real resources are given to maintain it. Quite frustrating, but we do the best we can.” IT administrator in a mid-size company
However, this was not true of all small companies. Some reported having a good budget for security and leadership that listens. Unfortunately, this was rare, and it also depended on whether the organization needs to comply with certain regulations,or wants to attract certain customers as well as who demands to see proof of good cybersecurity practices.
“Depending on the security product we use in our company, it depends on the cost and price that is suitable, which is followed by the director of the company or the IT manager in my department. In most cases, we are able to afford most purchases that will help improve the business structure and security.” IT support engineer in a small company
“We don't actually have a budget. CEO has a high degree of confidence in me, and so he knows that when I come to him and say I need something that relates to security, he understands that it's something that we need to do. It doesn't mean he won't question me on the price tag, but I can pretty much do what I need to do to make sure our company is secure.” IT director in a small company
The pandemic has also affected security budgets, yet cyber threats have increased through the pandemic, exploiting fear and the uncertainty faced by many companies and private individuals. This has undoubtedly added to workloads, yet there is a global shortage of cybersecurity professionals.
“We are a small to mid-size company, and we have basic security monitoring solutions in place. Our company offers legal and security services but suffered a lot during COVID-19, and the management has very little budget right now to invest into new services and technology. This is not a priority now.” Cybersecurity analyst in a mid-size company
What Are Security Professionals Like, and What Are Their Challenges?
We also explored personality characteristics of security professionals and found that they are highly curious, analytical, and above all else continuously learning. Cyber threats keep evolving, so a large part of the security role is staying on top of new information.
“Security is one of the domains where we have to keep on learning stuff every day. The threat landscape is changing day by day, and we can only provide security if we are familiar with the latest news and topics in the industry.” Security manager in a mid-size company
Some participants said that the job comes with an aspect of ambiguity, which can be scary. Not always having all the answers or knowing where the next attack will be coming from is a worry for some.
“It feels scary. A lot of days, you don't know if you're going to be able to do everything you need. A lot of times, you have a lot more questions than answers, and I’ve heard from other people in my field that that's a very common thing to feel. It's also challenging because you learn something new every time you tackle a problem, so it's just one of those love hate things about the job” System administrator in a mid-size company
“I definitely worry daily, being responsible for security. Fines can be in the millions of dollars for some companies. So I try to wake up every day and almost scare myself into thinking outside the box. What can I anticipate? How can I improve?” IT director in a small company
Other challenges include not being listened to when it comes to cybersecurity threats and continually advocating for good security practices in their company.
One participant joked about an idea he had to make his company’s leadership take security threats more seriously. While this is a tongue-in-cheek comment, it illustrates the frustration that some security professionals experience with threats not being taken seriously in their organizations.
“I had a pretty radical idea. I told my manager: What if we show them [the leadership] the danger? What if we infect their PCs or deface company website? Let’s show them it’s real. He immediately said: 'You’re out of your mind. We can’t do that.' If he was an analyst like me, he would have said, 'Yes, let’s do it.' He’s a lot wiser than me.” Security analyst in a mid-size company
Some security professionals also mentioned struggling to keep up with security improvements due to having so many responsibilities.
“I keep up with mostly job-focused items. I wish I had time for more, but I simply don't. It's hugely important to keep up as much as possible,as breaches and other security events affect our clients, and we need to know and work to prevent these items, but there's just so much of it.” IT manager in a mid-size company
“You have to keep up with IT security. I really want to spend more time doing research and hardening our defense, but it's hard to manage the time when you're the end-user's first line of support.” IT system specialist in a mid-size company
Feeling Confident that the Company Is Secure
We also asked security professionals to rank suggested categories in order of importance. The majority reported that feeling confident that the company is secure and having the best security solutions were top priorities. Having leadership that understands the value of spending money on security was also key. Many also said that they need to trust the solutions they recommend to their organization because their reputation depends on it. Due to this, the process of choosing the right tool can have many steps including checking the reputation of the company providing the solution.
“My job as an IT Admin can be very stressful at times, and I have to take many steps to ensure that the products we use are safe and secure and also make sure I maintain all of the security and systems we have at the company. It isn't an easy job. When looking for a new product, it would take me a few weeks to make an affirmed decision because I want to ensure that the product that I am signing up for will do the job, will hold up to our standards, and make sure it's reliable so we don't risk any type of data breaches.” IT administrator in a small company
Some reflected that when shopping for new products, it is not only the product that they are testing and shopping for. They are also assessing customer service and support, as this signals the type of future relationship they may have with the company that sells the solution.
“I don't think the product with the most expensive price means it's necessarily the best. I feel like my relationship with the company is wildly important, and so we ultimately chose a solution that maybe was just a notch below the expectations of the other one, but because of the relationship with that company, the account executive, and their technical support, it propelled them into the number one spot.” IT director in a small company
In our interviews, we also explored the top concerns for next year. The majority of security professionals we spoke to named data loss prevention as a top goal. This goes hand in hand with Gartner projections. Other big concerns included managing employees and ransomware. Working from home has made securing networks more challenging, and employees don’t always understand dangers and signs of social engineering, despite ample training.
“Working from home is still a challenge for IT. When people were working in the office, we were able to secure the perimeter by hardening the office network. Now the network is expanding to everywhere, and we don’t know who else is on the network. So it’s more challenging to harden it, and we are trying to achieve zero trust.” Security engineer, mid-size company
“I hate to say this, but really ultimately, it's the users [that make company security unpredictable]. You can put all the security mechanisms in place, but at the end of the day, phishing attempts against users, that's where exploits happen, where the door is. The more sophisticated that attacks get, you can only simulate so much, and all it takes is one user to not understand that it is an attempt, and you can be in trouble. I’ve seen the rise in phishing text messages, which is something that, in the past, has not really been a thing.” IT director in a small company
Many IT professionals find themselves in a security role without any adequate training or support. Frequently, tools that they use are not their first choice and require a lot of set up or rely on manual processes which, in an already busy environment, can be very time-consuming. Often, motivations for getting certain tools differ between leadership and security professionals. While organizations look to cut costs, security professionals value tools that automate tasks and save them time.
“We are a very small organization, and I have many projects to do. If it [security tool] saves me time, I’ll pursue it. From the company side, if it saves them money, they’ll buy it. Security tools save you money in the future. If it will help us pass infosec review with a potential client and the client will pay us money because we have this tool, that’s one thing. But also, if the tool saves me time and I can do a better job so we don’t end up having a security breach that will end up costing us money in the future, then it has potential.” IT manager in a small company
With the cybersecurity month behind us, we all can stop and appreciate how much security professionals really do in order to keep organizations secure and safe from cybercrimes. This job is not easy and often relies on employee cooperation as well as the organization’s vision when it comes to cybersecurity. October was cybersecurity month. Let’s make December cybersecurity professional month and take time to appreciate security professionals for all they do.