Who is winning the cyber war—the criminals and hackers or network and system defenders? ISACA and RSA Conference wanted to answer this question so we conducted the second annual State of Cybersecurity study, which was released today at the RSA Conference.
The data shows us that the answer is a bit unclear. Cyber attacks are still pervasive. We are still experiencing many of the same attack types that have plagued organizations for years. And it is increasingly difficult to hire fully capable cyber-practitioners and others who are part of the enterprise assurance and risk management network. The good news is that executives and board members are very concerned. They recognize that cyber threats are harming the bottom line and that—if they want to deploy leading-edge technologies and offer new technology-based services and products—they need to ensure that security is designed in and that personal information is protected.
One-third of the 461 cyber and information security specialists who participated in the study reported that their organization was a cyber-victim in 2016. While this is a high number in itself, an additional 20 percent did not know if their organization had been a victim. When asked about the frequency of attacks, the largest number (23 percent) reported experiencing cyber-attacks at least quarterly. The most frequent attacks were phishing, malicious code incidents, physical loss of computing or mobile devices, and hacking. As you might expect, the experience of attacks on a daily, weekly or monthly basis were reported less frequently. An alarming trend is that 54 percent of study participants did not know how frequently they experience cyber-incidents. While 73 percent believed they were able to detect and to respond to incidents, 42 percent felt they could only do so for simple attacks. In an era of increasingly sophisticated and persistent attacks, being able to identify and respond to attacks is imperative.
Board and executive concern and support for cyber activities are increasing. Eighty-two percent of security executives and practitioners participating reported that boards are concerned or very concerned about cybersecurity. This is not surprising given the higher level of awareness about cyber in general and the number of high profile attacks that we have recently seen. Executive support for cyber is essential. We find that executive support for enforcing security policy (66 percent) and providing needed funding (63 percent). The challenge is that less than half of executives follow good security practices themselves (43 percent) or mandate cyber awareness (59 percent). Cyber is not only a technical problem. Many attacks target the weakest link, executives who do not follow good practices, and employees who are security unaware.
Technical solutions to address cyber threats are getting better. We have all witnessed how technology vendors are enhancing current products. New startup companies are bringing very exciting products to the market. These however will not solve the problem alone. More important is the need to address the critical shortage of skilled cyber practitioners. Security executives are finding this difficult. The majority (54 percent) reported that it takes from three to six months to find a candidate. Less than half of these candidates (59 percent) are fully qualified on hire. Slightly more than 60 percent lack the required technical skills. Three quarters do not have the necessary understanding of the business to be effective. Slightly more than 60 percent do not have needed communication skills. Security will never be effective if new practitioners don’t have a strong technical understanding, the ability to address cyber-risks in business language, and if they cannot clearly and concisely communicate security issues.
While technology will help us meet cyber-challenges, it is also creating new opportunities for compromise. Cyber specialists are concerned about the rapid development of artificial intelligence products as well as the Internet of Things (IoT). We have all seen reports of advanced technologies, including medical devices and self-driving cars being hacked. More than half of those participating in the study are concerned or very concerned about the risk associated with the IoT. Forty-two percent believe that cyber risk associated with artificial intelligence will increase in the short term and 62 percent believe that risk will increase in the long term.
So, are we winning the cyber war? Not yet. We win some battles, but we are still plagued by attack types that have been long standing problems. We may not always be aware that we are being attacked, so we are too often late in responding. We are building our capabilities by deploying good technologies, but we don’t have sufficient skilled staff to bring to the battle. We still have too many leaders who say they support cybersecurity but do not consistently follow best practices or encourage cyber awareness in the enterprise.
To further complicate things, advanced technologies are expected to gain wide acceptance when we are still unsure about the risk they represent. The good news is that the challenges we are experiencing can be solved. We see increased attention to cyber by governments, research institutes and enterprise decision makers. Public awareness is increasing. Programs are being offered to solve the skill shortage. With skills-based training and performance-based testing, we are building the front line defenders and responders capable of engineering strong defenses and aggressive response plans.
Note: For the full survey report and related graphic, visit www.isaca.org/state-of-cybersecurity-2016. Hale will present a webinar on the study results and their implications on 8 March. Registration is open here.