As cyber threats continue to rise, an annual survey from ISACA has found that enterprises face continued difficulty finding qualified personnel to fill cyber security positions. It also highlighted four emerging areas of concern in the current environment that concern practitioners over and above traditional threats.
One-third of the respondents to the “State of Cyber Security 2017” survey conducted in October 2016 note that their enterprises receive more than 10 applicants for an open position, but 64% of that one-third indicate that fewer than half of the applicants are qualified. Moreover, even skilled resources, once hired, require time and training before they are fully up to speed and performing their job at a competence level equivalent to others who are already in the enterprise.
These personnel and staffing challenges compound the challenges that enterprises are already experiencing in the threat landscape—those associated with a slowdown in the allocation of resources to combat threats and the growth in complexity and hostility of the threat environment itself. Specifically, attacks are increasing, but the resources allocated to combat those attacks, while still growing, are growing at a reduced rate compared with prior years.
1.Budgets are still expanding, but more slowly
Half of the enterprises represented by the survey respondents anticipate a growth in their cyber security budget over the next year. Although this is an encouraging sign and points to the fact that cyber security is increasingly being seen as an investment area, the rate of growth appears to have slowed. Specifically, for 2016, 61% of survey participants indicated expected budget growth; for 2017, only 50% report an expected increase.
2.The threat environment is increasingly hostile.
This slowdown in expansion is occurring at the same time that enterprises are seeing an increase in attacks. 53% of respondents reported an increase in attacks in 2016, and 80% believe it is either “likely” or “very likely” that they will be attacked in 2017. 10% of respondents report experiencing a hijacking of corporate assets for botnet use, 18% report experiencing an advanced persistent threat (APT) attack, and 14% report stolen credentials.
3.Internet of Things (IoT) is replacing mobile as the emerging area of concern.
Threats resulting from mobile-device loss are down from last year, but IoT appears to be emerging as a new challenge area. Concern about the cyber security ramifications of IoT shows no sign of slackening, while the number of respondents for whom IoT is “on the organization’s radar” increased significantly over last year. 59% of the 2016 respondents cite some level of concern relative to IoT while an additional 30% are either “extremely concerned” or “very concerned”.
4.Ransomware is expanding, but the processes to address it are not yet ubiquitous.
The number of malicious code attacks, including ransomware, remains high. More than three-quarters (78%) of the respondents report that their enterprises experienced attacks in 2016 that included malicious software, and 62% report a ransomware attack specifically. Only 53% of the participants indicate that their enterprises have a formal process in place to deal with ransomware attacks.
ISACA is the international professional association focused on IT governance. The ISACA State of Cyber Security survey 2017 was conducted in October 2016 on managers and practitioners from the US, Europe and Asia who have cyber security job responsibilities.