For the record, it should be recognized from the outset that there is no doubt that the cybersecurity landscape has improved over time, mainly thanks to the persistent increase in cybersecurity spending year after year. Gartner estimates that the United States and the rest of the world will invest $172 billion in cybersecurity this year, up from $150 billion last year, and will continue to increase steadily thereafter.
These investments have produced, among other things, security analytics, a proactive approach to cybersecurity that uses data collection, aggregation and analysis capabilities to better detect and mitigate cyber threats. There is also the increasing efficiency of artificial intelligence and machine learning, and now zero trust architecture is gaining interest in many organizations. Breaking into large organizations is harder than ever for attackers.
Nevertheless, the incidence and scope of cyber breaches continue to increase in most years, and cyber experts agree that a considerable number of important organizations have already been compromised and are likely to be compromised again. at one point. Why? A common refrain is that malicious actors keep improving and evolving, and while companies are working hard to keep up, it only takes one mistake to open the door for cybercriminals.
Yet there is also another major reason – and one that gets far less attention.
Many organizations still have significant security gaps. These include poor cyber training, poor incident response plans, and the tendency to buy so many security tools that they often end up undermining each other. In addition, according to a report by market research firm Lightcast, the growing number of cyberspace job openings, numbering 715,000 in the United States alone, is clearly not sufficiently taken into account. account.
Are there solutions to these shortcomings? Yes, but they will require some attention. Here are some observations that could fill in these gaps:
Cybersecurity Jobs Hiring Needs Improvement
To compound the shortage of cyberworkers, companies often make hiring mistakes, leading to recruitment difficulties. Not all vacancies simply make it harder for businesses to maintain network security. They also negatively impact existing cybersecurity teams, which are expected to do whatever it takes to maintain network security with only a fraction of the staff required. This leads to burnout and causes more people to leave the industry altogether.
A big part of the problem is that hiring employees can’t get around rigid rules. Like most professions, cybersecurity job advertisements come with requirements, including experience and qualifications. As articles in ZDNet, Protocol and elsewhere point out, it’s not uncommon for HR departments to be too strict given the scarcity of cybersecurity professionals. A number of these applicants are competent – even without formal qualifications – and yet many are passed over for job postings.
An example of this is that many cybersecurity certificate authorities require up to five years of proven full-time experience. These certifications are required for many higher-level security roles. Even candidates with degrees in cybersecurity and computer science are often turned down for lack of a particular certification.
Poor cyber training
Employees typically receive a day or two of security awareness training when hired, and then some sort of refresher once a year. It’s not enough. Many employees forget some of what they have learned after a few months. Either way, all employees need extra help with cybersecurity because it’s constantly changing. The Advanced Computing Systems Association recommends companies conduct cybersecurity training every four to six months, preferably using interactive examples and videos.
It is important to note that the knowledge and sophistication of trained employees varies considerably, which often hinders efficiency. Some studies have shown that even employee dispositions can determine an individual’s chances of being compromised. A study found that respondents who identified as “Type A” personalities did not believe they were at increased risk of reusing passwords, a risky business. They thought their own proactive efforts were enough.
Too many employees remain insufficiently informed about cybersecurity, in part because many executives and managers are placing a higher priority on other things, like accumulating new technologies to drive productivity gains.
Below average incident response plans
Incident response plans are designed to expedite the response to an organizational breach as quickly as possible to mitigate reputational damage, customer distrust, regulatory and legal fees, and cleanup costs. Organizations must be resilient. Highlighting that most companies are heavily focused on cyber prevention, not remediation, research from IBM Security and the Ponemon Institute found that 74% of security and IT professionals surveyed in 11 global markets do not didn’t think it was necessary to adopt IRPs consistently across their organizations – or at all.
So what do companies do when serious cybersecurity issues arise? They mainly rely on their security department for help. To mitigate a breach as much as possible, many more employees must also make a serious commitment to staying abreast of cyber threats. They must adopt selected mindsets and behaviors.
Building a sufficient supply of security tools sounds like a good idea, but it usually isn’t. A study by the Ponemon Institute found that the average organization has more than 45 such tools. Those who used more than 50 were ranked 8% lower in their ability to detect an attack and 7% lower in responding to an attack. The problem: all of these tools often conflict and compromise each other.
If the solutions are not fully integrated, which is typical, a holistic view is difficult to grasp as a cyber employee jumps from one computer console to another. Plus, more security tools mean more — often false — alerts to manage. In short, complexity is a hidden cost.
Chief Information Security Officers (CISOs) Say Even Greater Cybersecurity Investments Are Needed
CISOs play a crucial role in driving investments in cybersecurity, and more than half of them believe that their boards of directors still do not provide sufficient investments to mitigate cybersecurity risks, according to a survey by Censuswide, an international market research consultancy based in London. CISOs say some boards only discuss cybersecurity in the event of a breach.
In this case, CISOs themselves are part of the problem. Many need to learn to be more savvy in communicating with the board. They should avoid speaking in jargon, knowing that the board is rarely made up of cyber experts. Equally important, they must avoid using fear, uncertainty and doubt to drive home a point. They should always make it clear that the health of the business is everyone’s highest priority.
Business leaders should pay attention to key building blocks of their infrastructure, such as ensuring the organization has a secure network with secure users and double-checking that hardware and software are kept up to date. consistent. This way, security vulnerabilities are discovered sooner rather than later.
More importantly, leaders must create a culture around their security infrastructure. It is important that they understand how their leaders currently approach cybersecurity and what changes might be needed. They need to prioritize making things better and think about what else might be needed down the line. These steps help ensure growth through digital trust and build both employee pride and an organization’s reputation with customers.
About the Author: Robert Ackerman Jr. is the Founder and Managing Director of AllegisCyber Capital, a Silicon Valley-based startup venture capital firm. He is also co-founder and board director of DataTribe, a Fulton, MD-based seed and start-up foundry that invests in cybersecurity and data science start-ups.
Bob has been recognized as a Fortune 100 Cybersecurity Leader and also one of “Cybersecurity’s Money Men”. Previously as an entrepreneur, Bob was President and CEO of UniSoft Systems, a leading UNIX systems company, and Founder and President of InfoGear Technology Corp, a pioneer in the original integration of web and telephony technology.
Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.