New study shows CISOs not confident in their ability to protect
Cybersecurity professionals have an alarming lack of confidence in the ability of their teams to protect their organisations beyond the most basic cybersecurity incidents, according to a new report.
The study, by ISACA and RSA Conference, highlights a fairly dramatic loss of confidence on the part of security professionals in their team's ability to detect and respond to incidents. Numbers who were confident were down 12 percentage points to 74% according to the ISACA/RSA Conference State of Cybersecurity study.
Among those 75% who are confident their team can detect and respond to incidents, six in 10 say they don't believe their staff can handle anything beyond simple cybersecurity incidents.
That concern was further highlighted by a marked lack of situational awareness for professionals for whom cybersecurity or information security is their primary role, with 24% saying they didn't know if any user credentials were stolen in 2015, 24% not knowing which threat actors exploited their oganisations, 23% not knowing whether they had experienced an APT, and 20% not knowing whether any corporate assets were hijacked for botnet use.
When it comes to employing staff, the number who say less than half of job candidates were considered ‘qualified upon hire' has risen from 50% to 59% in a year, with 27% reporting they needed six months to fill a cybersecurity position, up from 24% in 2014.
Ron Hale, ISACA chief knowledge officer, says the lack of confidence in current cybersecurity skill levels shows that conventional approaches to training are lacking.
“Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce,” Hale says.
The report also shows that while cybersecurity may be front and centre on boardroom agendas these days, chief information security officers still don't have a seat in the boardroom.
The study found that 82% of cybersecurity and information security professionals surveyed said their board of directors are concerned or very concerned about cybersecurity, however only 14% of CISOs report to the chief executive.
The gap between belief and actions comes at a time when 74% of security professionals expect a cyberattack in 2016 and 30% say they experience phishing attacks every day.
Jennifer Lawinski, RSA Conference editor-in-chief, says while there are signs that C-level executives increasingly understand the importance of cybersecurity, there is still plenty of room for improvement.
“The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue,” Lawinski says.
However, the news from the study wasn't all bad.
Despite the fact that most CISOs report into an organisation's technology function, this year's study shows ‘encouraging' signs that cybersecurity does earn respect with 61% of those surveyed expecting their cybersecurity budget to increase in 2016 and 75% saying their organisation's cybersecurity strategy now aligns to enterprise objectives.