In today’s climate, it is fully apparent organizations must treat cyber security as a central business priority.
While awareness about cyber security’s importance is spreading among enterprise leaders – and how could it not, given the way cyber threats have dominated many of our recent news cycles? – ISACA’s State of Cyber Security 2017: Current Trends in the Threat Landscape report suggests that the growing awareness must lead to addressing unsettling gaps in many organizations’ security programs.
The report shows that only 53 percent of organizations have a process in place to handle and recover from ransomware incidents – a very concerning statistic, but perhaps one that will change markedly in the aftermath of the massive WannaCry attacks. The enormous scope of those global attacks made it clear that any organization unprepared for ransomware is in need of “a rapid rethink,” as my ISACA colleague, Raef Meeuwisse, noted.
Concerns about the security of Internet of Things (IoT) devices also show no signs of abating. The majority of enterprises said they are concerned about IoT devices in the workplace, which surely factors into the 4 in 5 respondents who consider it likely or very likely that their enterprise will experience a cyberattack this year.
Not all is gloomy – there were some encouraging findings, as well. The State of Cyber Security 2017 report finds that exploits resulting from mobile device loss is down significantly, which aligns with the recent Study on Mobile Device Security from the US Department of Homeland Security, in conjunction with NIST. That report indicates that mobile device security is generally improving, noting, however, that “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”
ISACA’s 2016 State of Cyber Security report showed that 50 percent of the responding organizations had CISOs. This year, 65 percent have them, which reinforces that executive leadership is making security a priority. Still, budgets are not keeping up with the rapidly expanding threat landscape; only half of organizations expect an increase in their security budgets in the coming year, 11 percentage points fewer than those who said they expected an increase in last year’s report.
If enterprises are going to be prepared for the mounting challenges, investing in a strong cyber security workforce is a must. Security professionals must not only be trained, but have their skills developed and refreshed using hands-on technical training and performance-based assessment, which is why this year ISACA developed the Cybersecurity Nexus (CSX)™ Training Platform. This focus on skills development must occur while assuring that professionals understand the nature of the enterprises for which they work.
There is much that must be done – urgently – as ISACA’s State of Cyber Security 2017 makes clear. Consider that fewer than half of security leaders said they are confident in their team’s ability to handle anything beyond simple cyber incidents. In today’s threat landscape, that is unacceptable.
By now, the importance of bolstering cyber security capabilities is clear to all responsible enterprises. The ones who commit to developing a strong culture of cyber security – and providing the resources necessary to build skilled and well-trained security teams – are the ones that will thrive in today’s global economy.
Editor’s note: Current Trends in the Threat Landscape is the second installment in ISACA’s State of Cyber Security 2017 report. The first installment focused on workforce trends and challenges. Both reports are available at www.isaca.org/state-of-cyber-security-2017.
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT
[ISACA Now Blog]