More companies are hiring CISOs as private industry faces cyberattacks, report says
As cybersecurity budgets and staffing needs continue to increase, businesses must also move to address increasingly malicious threats, according to ISACA’s annual global cybersecurity survey.
More than half of respondents — 53 percent — reported an increase last year in cyberattacks, with 80 percent reporting that an attack is likely to strike their business in 2017, according to the survey of 600 firms. Just 53 percent, however, reported that their business had a formal process for handling these attacks.
One concrete sign that cybersecurity is gaining more attention from businesses: The number of organizations with chief information security officers, or CISOs, is up 15 percentage points, according to ISACA’s 2016 State of Cyber Security report, with 65 percent now including the position. But while cybersecurity is becoming more of a concern, the availability of tools to combat attacks is not keeping pace.
“Consider that this year’s survey found that only fewer than half of security leaders are confident in their team’s ability to handle anything beyond simple cyber incidents,” ISACA CEO Matt Loeb wrote in the report. “To say that is concerning is an understatement. Resources must be allocated to sharpening those skills and improving organizations’ abilities to rapidly detect and respond to advanced cyber threats.”
The Internet of Things has usurped mobile as an increasing security concern, according to the report. Meanwhile, the budget for cybersecurity continues to grow, but this growth is down 11 percentage points from last year’s report.
As cyberattacks, specifically ransomware, become a growing area of concern, businesses are also finding challenges in filling cyber security positions. “One-third of the respondents note that their enterprises receive more than 10 applications for an open position,” the report states, “but 64 percent of that one-third indicate that fewer than half of the applicants are qualified.”
Loeb wrote that information about security must be shared amongst organizations and additional resources must be allocated to cybersecurity to address these evolutions in the field. But “building and maintaining a strong cybersecurity workforce” is key.
“Security professionals must not only be trained, but have their skills maintained using hands-on technical training and hands-on performance based assessment,” Loeb stated. “And this must be done while also assuring that these professionals understand the nature of the businesses for which they work.”