- A lack of cybersecurity staff members, a lack of employee training, and not enough boardroom prioritization are top contributions to cybersecurity risk, according to a recent study from the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG).
For the survey, 437 information security professionals and ISSA members were interviewed. Respondents were in industries including information technology, government, financial, and healthcare.
Over half of those surveyed - 54 percent - said they have experienced at least one type of security incident. Reasons for the security incidents largely revolved around human factors. Thirty-one percent said that the cybersecurity team is not large enough for the size of their organization, while approximately one-quarter reported a lack of training for non-technical employees.
Twenty-one percent said that business and executive management often put cybersecurity as a low priority.
“The results gleaned from this research are both alarming and enlightening,” said Candy Alexander, Cyber Security Consultant and ISSA’s Chair of the Cyber Security Career Lifecycle. “Alarming in the sense that if we don’t collectively pay attention to the cries for help, we will put businesses unnecessarily at risk. Enlightening in that organizations need to be willing to invest in their cyber security professionals, with clearly defined career paths and skills development in order to hire and retain qualified employees.”
The majority of respondents - 92 percent - also believe that an average organization is vulnerable to some type of cyber attack or data breach. Furthermore, 45 percent of the interviewed cybersecurity professionals said that most organizations are significantly vulnerable to a major cyberattack or data breach while another 47 percent reported that most organizations are somewhat vulnerable to a significant cyber attack or data breach.
Those in the cybersecurity industry though want more government assistance in terms of prevention, with 89 percent of those respondents saying they want more help from their government.
However, 66 percent of all respondents believe government cybersecurity strategy tends to be incoherent and incomplete.
In terms of cybersecurity skills, organizations reported that there are acute skills deficiencies in several areas. One-third of respondents said they have a shortage of security analysis and investigation skills, while 32 percent report skills shortages with application security, and 22 percent had a shortage of cloud security skills.
Surveyed cybersecurity professionals did have several suggestions for how cybersecurity risk areas could be improved. For example, 41 percent said increasing the cybersecurity budget would be beneficial, while 40 percent suggested adding cybersecurity goals and metrics to business and IT managers’ objectives.
Additionally, 39 percent advised increasing cybersecurity training for non-technical employees, and 39 percent recommended hiring more cybersecurity professionals.
Another key human factor discussed in the survey are the internal relationships between various departments. Twenty percent of cybersecurity professionals said the relationship between cybersecurity and IT is fair or poor, while 27 percent of respondents reported that the relationship between cybersecurity and the business is fair or poor.
The largest issue between IT and cybersecurity is prioritizing tasks between the two groups, according to the study. Being able to properly align goals between cybersecurity and business was the key issue for those two groups.
Just under half of respondents - 44 percent - said that CISO participation with executive management is not at the right level today, and needs to either somewhat or significantly increase in the future.
“Simply stated, these findings represent an existential threat,” Enterprise Strategy Group (ESG) Senior Principal Analyst Jon Oltsik said in a statement. “How can we expect cyber security professionals to mitigate risk and stay ahead of cyber threats when they are understaffed, underskilled, and burned-out?”