Executive Buy-In for Security GrowsBut Finding Skilled Staff is Ongoing Challenge
Banking, healthcare, technology, retail, government and other sectors worldwide are taking cybersecurity more seriously, according to new research just out from the consulting firm Ernst & Young.
Top-level management is buying in to the need for more cybersecurity investments as well as the need for threat-intelligence sharing, the research confirms. And executives expect accountability when breaches result in data loss and exposure, the new study shows. E&Y surveyed or interviewed 1,900 corporate and information security executives in 64 countries for its new report.
This year, there has been more spending on threat and vulnerability management.
This new evidence of cybersecurity awareness among senior leaders is encouraging news.
Unfortunately, organizations throughout the world continue to struggle to hire enough qualified staff to help ensure adequate cybersecurity, the research confirms. Chip Tsantes, a principal in E&Y's financial services office, says the talent pool of cybersecurity professionals just isn't big enough to meet demand.
The Research Findings
According to E&Y's research, 70 percent of survey respondents say information security policies are "owned" by the highest-level executives within the organization. That means executives are taking responsibility for cybersecurity initiatives, and they're making information technology a priority. What's more, 76 percent say they conduct or commission risk assessments to regularly test the security measures of the third parties their data.
Both are good signs.
"The one thing that jumped out to me was that spending [on cybersecurity] had been flat or had just seen modest growth for the last several years," Tsantes says. "But this year, there has been more spending on threat and vulnerability management. More is being invested there, and that's a new trend."
The distributed-denial-of-service attacks waged against U.S. banking institutions served as a catalyst, at least in part, for new cybersecurity investments as well as information sharing, Tsantes says.
"DDoS woke banking up, but other industries were woken up, too," he says. "We can share those insights and we can leverage our DDoS experience."
Information sharing has been embraced across multiple industries, Tsantes says. "We are seeing that more in banking and healthcare and aerospace," Tsantes says. "There's been more focus on the critical infrastructure industries."
During Information Security Media Group's Fraud Summit last week, the critical role threat intelligence sharing has played in helping banks and other industries defend themselves against DDoS attacks, and other attacks waged to compromise intellectual property, was a central theme.
Whether cyber-attacks are waged by nation-states, well-organized cyber-criminals or weekend hackers who are working out of their basements, they have the potential to be damaging.
"Most of the time in the past, most organizations spent money on trying to protect intellectual property," Tsantes says. "Today, it's different. You have to be concerned about all attackers, even though they all have different motivations."
Staffing Challenges Ongoing
Nearly half of E&Y's survey participants report that a lack of skilled staff members is one of the main challenges they face when it comes keeping up with new cyber-risks, emerging threats and the changing risk landscape.
Tsantes says we can expect to see more new workers with cybersecurity training entering the workforce in the next two to four years as more educational programs are offered.
In the meantime, he offers this advice: "It certainly is a challenge, but you just need to be smarter about how you deploy your smart people." It's not so much that organizations lack the right talent; it's more that they don't give employees the right tools to do their jobs effectively, he says.
In a nutshell, organizations need to do a better job of prioritizing resources.
Is your organization having trouble recruiting information security professionals? What are your other top cybersecurity challenges? I'd like to hear from you. Submit your comments in the space below.