You’ve seen the headlines about security breaches at major companies in industries ranging from healthcare, government, to online dating. As frequent as these high-profile breaches are, they only scratch the surface. In fact, according to a recent study, 80% of organizations experienced some form of security incident last year.
The reality is that hackers are constantly trying to compromise networks around the world through the use of malware, phishing attacks, social engineering, brute force password attacks, and more. Because of the evident danger and frequent headlines, many organizations say they're making IT security a priority. But are businesses willing to invest in actual change, or is it just talk?
Securing networks: an ongoing challenge
Cybercriminals continue to push the envelope, staying one step ahead of security defenses in an escalating arms race between hackers on one side--including professional hackers working for organized crime rings, and government-backed spies--and organizations with their sensitive data on the other. As soon as the good guys develop better defenses, the bad guys find new ways to exploit devices, networks, and people to get around them. The cycle then repeats itself as both sides evolve their tactics and capabilities.
Often, organizations take steps to improve security by investing in security technology solutions such as firewalls, antivirus, encryption, and intrusion detection software, but sometimes the softer side of security is ignored. To deploy truly effective cybersecurity defenses, companies need buy-in from company leadership and a comprehensive security strategy that includes investment in the right people, training, and security processes.
Cybersecurity expertise undervalued
Business leaders who sit close to the front lines of IT typically prioritize security, but that’s not always the case with the rest of the executive team. A Spiceworks survey shows 73% of technical leadership prioritizes security, including senior IT leaders and the CIO. On the flip side, the rest of the C-suite isn’t quite as keen; only about half of IT pros say security is a priority for their CEO and CTO, and less than half say their CFO, COO, or CMO prioritizes security.
Lack of support from the top could explain why it’s rare to find an organization with a cybersecurity expert in-house, especially in the C-suite. Less than 10% of organizations have a security executive, such as a chief security officer, according to the Spiceworks survey. Even more troubling, less than one-third of companies have a cybersecurity expert in their IT department, and a whopping 55% of organizations don’t have access to an IT security expert at all, internal or external. This is a disturbing development. These days, every organization is highly dependent on information technology systems. What organization can fully function without computers, email, or the internet?
Not having a dedicated cybersecurity expert to protect your network and sensitive data is the equivalent of not checking if your doors are locked at home, then hoping for the best. And the situation is not improving in the near term: Among companies without security expertise, the majority have no plans to hire or contract experts in the next 12 months.
Lack of security training
If companies aren’t enlisting the help of cybersecurity professionals, they must be investing in training to develop security skills from within, right? Not so much, it turns out. The survey revealed that only 60% of employers are only somewhat open to investing in security training, requiring a bit of convincing before they open wallets for security classes and certifications. On top of that, nearly one-fifth of organizations are not willing to fund security training at all, leaving IT pros to learn about network security on their own through websites and books.
Therefore, it comes as little surprise that security certifications within IT departments are fairly uncommon, with more than 70% of IT professionals saying they hold none, despite the fact that security is the subject IT pros want training in the most.
Adding to the overall threat, organizations now need to secure new types of connected devices. For example, the majority of IT pros say they’re confident in their ability to respond to cyberattacks on laptops, desktops, and servers. But when it comes to less traditional -- and often less secure -- devices such as smartphones, connected appliances, sensors, and wearables, they’re much less confident. This is especially concerning, as more IoT devices continue to enter the workplace.
The hard truths of IT security
Ultimately, the survey data indicates security is a huge challenge at organizations of all sizes. And despite the reality that a security incident response team can save organizations $16 per breached record, hiring a single full-time cybersecurity expert or training from within is often not encouraged. This is especially true in businesses with small IT departments that are strapped for resources and preoccupied with the day-to-day struggle of keeping all IT systems running smoothly.
But doing nothing to improve IT security is a failing proposition. New malware strains and threat tactics emerge every day, so IT professionals need to stay current to keep their organizations secure. At a minimum, companies need to break out of the mindset that security expertise is a “nice to have” instead of an essential investment. Ideally, organizations should regularly scan their network for weaknesses, educate their workforce on potential dangers, and enlist the help of penetration testers.
It’s a big effort to employ an effective, multi-pronged IT security strategy that covers the deployment of security technologies, development of ironclad security policies, security training for IT pros, and education of end users, who are often the weakest link security puzzle. That said, it’s definitely worth the time and investment to close the cybersecurity skills gap so your organization can stay out of the headlines and avoid becoming the latest victim of a high-profile security breach.