Level of threat is outstripping the corresponding increases in budgets, according to “The Security Profession in 2018/19” report from the newly Chartered Institute of Information Security (previously known as the IISP). Exposures in all businesses are on the rise, the survey, mainly of members, suggests. Many companies are still dealing with traditional or older issues like patching and fixing vulnerabilities.
At least 45 percent of respondents chose a lack of resources as the biggest challenge: compared to 37 percent for a lack of experience, and 31 percent for a lack of skills. Ultimately, cyber security people feel their budgets are not giving them what they need – only 11 percent said security budgets were rising in line with, or ahead of, the cyber security threat level, while the majority (52 percent) said budgets were rising, but not fast enough.
Professionals were also clear about where threats originate. Overwhelmingly, 75 percent perceived people are the biggest challenge they face in cyber security – with processes and technology near-equal on 12 and 13 percent respectively. This may explain the need for more resources even as budgets increase: people are a far more complex issue to deal with. Yet at the same time, there are signs of improvement. More than 60 percent of IT professionals say that the profession is getting better – or much better – at dealing with security incidents when they occur, with only 7 percent saying the profession is getting worse. Conversely, less than half (48 percent) of respondents felt the industry is getting better at defending systems from attack and protecting data, with 14 percent saying the profession is getting worse. This suggests an ongoing move in the industry – from focusing on prevention, to an all-encompassing approach to security.
Amanda Finch, CEO, Chartered Institute of Information Security, said: “IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches. As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”
Pictured is the seal of the CIIS’ charter, as displayed at the Institute’s IISP LIVE 2019 conference in Birmingham last month; for more see the August 2019 print issue of Professional Security magazine.
Other findings included:
Asked to identify the worst or most notable security events or breaches of the last year, more than one third of respondents pointed to Facebook, both for its own breaches and for its relationship with Cambridge Analytica. British Airways was second, with almost a quarter of responses. All the incidents highlighted by the most respondents were as notable for the aftermath of the breach as for the breach itself. The innovation predicted to have the greatest effect on security in general was AI and machine learning – suggesting this is an area for organisations and people to target their skills development. IoT, and monitoring and SIEM technologies, and the new data protection law also featured.
The focus on a lack of resources, experience and skills suggests that IT security teams are feeling the effect of the IT skills shortage. Yet this is also an opportunity for individuals, the Institute suggests. The majority of IT security professionals surveyed believe this is a good time to join the profession – 86 percent say the industry will grow over the next three years and 13 percent say it will “boom”. There is also an opportunity, and need, for women in the industry – 89 percent of respondents identified as male, and 9 percent as female. More than 37 percent say they have better prospects than a year ago, and the factors attracting people to take security jobs are the same as then – remuneration, followed by scope for progression and variety of work. Insufficient money, or a lack of opportunity, also cause people to leave security positions – yet the top factor causing people to leave their jobs is bad or ineffectual management.
Amanda Finch added: “In the middle of a skills shortage, organisations need to treat their workers carefully. Losing them through a lack of investment, through failing to help develop skills, or simple poor management, cannot be allowed. At the same time, they cannot simply hire anyone to fill the skills gap – bringing the wrong person into a role can be a greater risk than an empty seat. Instead, organisations must understand what roles they need to fill; what skills those roles demand; and what skills applicants have. Armed with this, businesses can fill roles and support workers throughout their careers with the development, opportunities and training they need. This doesn’t only mean developing technical skills, but the social, organisational and strategic skills that are essential to put security at the heart of the business.”
The survey covered IT security people from a variety of backgrounds, CIIS members and non-members. The full 24-page report can be read on the Institute’s website.
