Between high job stress levels, difficulties in finding qualified and experienced IT security professionals for their teams and constant worries about their companies falling victim to cyberattacks, chief security officers say they have a lot to worry about in 2018.
That's the conclusion of a new study, "What CISOs Worry About in 2018," by security research group and think tank, The Ponemon Institute, which was sponsored by security risk and compliance vendor, Opus. The 22-page study, which is based on responses from about 612 chief security officers and other IT security experts between November to December 2017, asked the respondents about their biggest security concerns in the new year.
The biggest concern, the study reported, is being able to find and hire qualified staff members to fill out their IT security teams. Some 70 percent of the respondents said they are challenged by a substantial "lack of competent in-house staff" within their companies, making it harder to get things done to prepare for security incidents and to build and harden their ongoing security strategies. Some 65 percent of the respondents said they are facing "inadequate in-house expertise" as the top reason their companies will likely to have a data breach this year, the report continued.
About 66 percent of the respondents said they believe their companies are more likely to fall victim to a cyberattack or data breach in 2018, with some 60 percent reporting those concerns are higher than they had last year.
Some 65 percent of the respondents reported that it's highly likely that they'll experience credential theft due to a careless employee falling for a phishing scam, according to the study, while about 60 percent said they believe that IoT devices will be the most challenging disruptive technology they will have to deal with this year. Mobile devices and the cloud were ranked as the second and third most challenging disruptive technologies they will face in 2018, according to 54 percent and 50 percent of the respondents.
With all these tough issues on their minds, some 69 percent of the respondents said they believe their jobs will be even more stressful in 2018 than they were last year, while 63 percent said they expect to see their IT security budgets decline or remain flat. Some 45 percent of the respondents said they fear losing their jobs if their company is struck by a data breach.
The issues described by the respondents in the study are very real and widespread, Dr. Larry Ponemon, the chairman and founder of the Ponemon Institute, told ITPro Today.
"Making sure they have the right people is the number one concern" today for chief security officers, said Ponemon. "It really is a problem. A lot of organizations have open positions for years."
Often potential hires have training for the jobs, but not the deep, real-world experience which companies require, he said.
"You would think that a person has to start somewhere, but with security, unfortunately, the expectation is that when I hire you on day one, you are going to get to work immediately" solving a company's problems, he said. "It doesn't work that way in other industries."
To battle such staffing shortages, companies should consider hiring several people with varying skills and experience that complement each other – essentially filling the job requirements by using a new strategy, said Ponemon.
"A lot of organizations are really not that smart when it comes to hiring security people," he said. "Because IT security is so important. organizations should be smarter by hiring people and helping to get them up to speed. It doesn't take forever to get them to speed."
Not all the news in the study was negative, said Ponemon.
One bright development is that 37 percent of the respondents expect the state of security within their companies to improve in 2018, despite all the problems that keep them on the edge of their seats every day.
Another 37 percent of the respondents said they expect the state of security within their companies to stay the same. About 27 percent said they expect it will get worse.
"There's a little bit of optimism here," said Ponemon.
One thing CISOs can do to make IT security better inside their operations is to educate and encourage board members and C-level executives to view IT security as a more important issue and as part of the overall business strategy of the company, he said.
"You want to get board-level involvement to make them accountable at the top," said Ponemon. "Security has always been a middle-management issue. You really can't succeed if you are constantly vulnerable to attack. Raising it to the board and CEO brings it to a higher level of importance inside the organization."