Organizational culture typically takes shape as a result of decisions and actions by top management, who are responsible for setting vision, values and practices. When leadership doesn’t understand something, it shows in how the organization handles that particular area.
When it comes to IT security, research by (ISC)2 reveals a tepid commitment to investing in a strong security stance, both in the areas of technology and human resources. Too often, cybersecurity teams are short-staffed, lack the resources they need to handle a cyberattack, or aren’t given the responsibility to fill a more proactive role in protecting company data and networks.
About half of participants in (ISC)2’s 2017 Global Information Security Workforce Study, consisting of IT professionals in charge of security at enterprises and government agencies, say their organization’s leadership is responsible for this situation. The study participants are the people in the front lines of their organization’s cybersecurity defenses.
Based on the results, it’s fair to say there is a leadership problem – at least in some organizations – in matters related to security. Considering the intensity and frequency of recent cyberattacks, this is a troubling state of affairs. The less leaders understand about the current threat landscape, the more likely they are to expose their organization to attack.
Leadership currently lacks a good understanding of cybersecurity requirements, according to 49% of participants in the (ISC)2 study. As a result, leaders too often ignore advice from their IT staff regarding security and don’t invest enough in training and certifications, with only 34% of employers paying in full for cybersecurity training.
Leadership’s attitude also seems to affect hiring practices. The study revealed a disconnect regarding what skills are sought vs. which are actually needed. While communications and analytical skills ranked as top skills and competencies by hiring managers, cloud security and risk assessment are what front-line professionals say their organizations need.
Asked about candidates’ qualifications, survey participants emphasized recruiting candidates with relevant security experience (93%) and knowledge of cybersecurity concepts (92%). While understandable, these hiring requirements may be somewhat unrealistic. Even experienced security professionals require constant refresh as the threat landscape rapidly evolves, with 400,000 new malware samples released daily.
No Change in Sight
Unfortunately, it doesn’t appear the attitude toward cybersecurity is about to improve in the immediate future. For instance, 40% of survey participants said they expect their amount of security training and education to remain the same over the next year. About half (42%) expect it to increase.
While only 5% said they expect it to decrease, what we need to see overall is an upward trend. If survey participants are correct that leadership needs a better understanding of cybersecurity, these numbers aren’t encouraging.
Robust cybersecurity is going to require a great investment in people and technology going forward, especially as the attack surface grows thanks to IoT. Achieving that robust stance will take stronger leadership in regards to cybersecurity.