sb-as logo
Story image

New study shows CISOs not confident in their ability to protect

Cybersecurity professionals have an alarming lack of confidence in the ability of their teams to protect their organisations beyond the most basic cybersecurity incidents, according to a new report.

The study, by ISACA and RSA Conference, highlights a fairly dramatic loss of confidence on the part of security professionals in their team’s ability to detect and respond to incidents. Numbers who were confident were down 12 percentage points to 74% according to the ISACA/RSA Conference State of Cybersecurity study.

Among those 75% who are confident their team can detect and respond to incidents, six in 10 say they don’t believe their staff can handle anything beyond simple cybersecurity incidents.

That concern was further highlighted by a marked lack of situational awareness for professionals for whom cybersecurity or information security is their primary role, with 24% saying they didn’t know if any user credentials were stolen in 2015, 24% not knowing which threat actors exploited their oganisations, 23% not knowing whether they had experienced an APT, and 20% not knowing whether any corporate assets were hijacked for botnet use.

When it comes to employing staff, the number who say less than half of job candidates were considered ‘qualified upon hire’ has risen from 50% to 59% in a year, with 27% reporting they needed six months to fill a cybersecurity position, up from 24% in 2014.

Ron Hale, ISACA chief knowledge officer, says the lack of confidence in current cybersecurity skill levels shows that conventional approaches to training are lacking.

“Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce,” Hale says.

The report also shows that while cybersecurity may be front and centre on boardroom agendas these days, chief information security officers still don’t have a seat in the boardroom.

The study found that 82% of cybersecurity and information security professionals surveyed said their board of directors are concerned or very concerned about cybersecurity, however only 14% of CISOs report to the chief executive.

The gap between belief and actions comes at a time when 74% of security professionals expect a cyberattack in 2016 and 30% say they experience phishing attacks every day.

Jennifer Lawinski, RSA Conference editor-in-chief, says while there are signs that C-level executives increasingly understand the importance of cybersecurity, there is still plenty of room for improvement.

“The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue,” Lawinski says.

However, the news from the study wasn’t all bad.

Despite the fact that most CISOs report into an organisation’s technology function, this year’s study shows ‘encouraging’ signs that cybersecurity does earn respect with 61% of those surveyed expecting their cybersecurity budget to increase in 2016 and 75% saying their organisation’s cybersecurity strategy now aligns to enterprise objectives.

Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Juniper Networks expands security offering for remote working
Juniper Networks has launched new solutions to enhance work from home security.More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
BlackBerry partners with ServiceNow for incident response management
BlackBerry has announced it has entered into a partnership with ServiceNow to integrate the BlackBerry AtHoc service within the Now platform for rapid crisis communications and IT service management. More
Story image
Microsoft takes legal action to disrupt botnet and combat ransomware
Microsoft has announced it took action to disrupt a botnet, Trickbot, one of the world's most infamous botnets and prolific distributors of malware and ransomware.More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More