ISACA, one of the world’s oldest cybersecurity organizations and a global network of over 460,000 IT professionals, produces an annual “State of Cybersecurity” report that tracks cyber security trends and emerging threats. Part two of the 2019 edition has a number of interesting revelations, the biggest of which is the apparent scope of underreporting of cyber crime.
Cyber security trends: Findings and insights
ISACA surveys 1,576 cyber security professionals in decision-making positions in their organization. Respondents are with organizations ranging in size from enterprise to small-to-medium.
The headliner of the most recent part of the cyber security trends report is the underreporting of cyber crime around the globe, which appears to have become normalized. About half of the respondents indicated that they feel that most enterprises do not report all of the cyber crime that they experience, including incidents that they are legally obligated to disclose.
This is taking place in a cyber security landscape in which just under half of the respondents said that cyber attacks had increased in the previous year, and nearly 80% expect to have to contend with a cyber attack on their organization next year. And only a third of the cyber security leaders reported “high” confidence in the ability of their teams to detect and respond to such an attack.
There is an interesting correlation of confidence with organizations that have a specialized Chief Information Security Officer (CISO). Organizations structured with a CISO report the highest levels of confidence in their ability to respond to an attack, while those with a more generalized CIO in charge of security report the lowest levels. Respondents actually indicated a preference for organizational cyber security running directly through a CEO rather than a CIO.
ISACA 2019 attack trends
The most recent ISACA cyber security trends report identified the top threats as coming from cyber crime groups and hackers, which one would expect. The third-greatest threat is from non-malicious internal employees; that is to say, Bob in accounting who unwittingly clicks on a phishing email link and opens the entire network up to attackers.
The leading types of attacks are no surprise, either: phishing, malware and social engineering. In spite of a seeming resurgence in early 2019, the cyber security trends survey reports that ransomware is down significantly – only 20% of respondents experienced such an attack this year, down from 37% in 2018.
Non-malicious insiders have long been the leading cause of breach incidents at most businesses. Hackers are increasingly targeting specific departments or even individuals with phishing and malware links, as that initial point of compromise usually leads to much greater access to the network within as little as a few hours. Though employees are most commonly phished, weak passwords and “credential stuffing” attacks continue to be a significant issue.
Inadvertent network compromise by employees seems to have grown big enough to catch the attention of the boardroom, however. The 2019 ISACA cyber security trends study indicates that 33% of CEOs surveyed are now willing to fire an employee who causes a data breach, even if it is under non-malicious circumstances.
Is cybersecurity hiring to blame?
The expected shortfall of qualified cyber security professionals is expected to be as much as 1.8 million globally by 2022, according to recent estimates.
The findings of the second part of the 2019 ISACA cyber security trends study thus support some of the conclusions reached by the data gathered in the first part released in March, which was focused on staffing challenges.
Across the board, organizations are having trouble both recruiting and retaining good cyber security professionals. The more specialized technical skill the role requires, the harder it tends to be to find and retain the right person. ISACA board director Gregory Touhill posits that one of the main issues is simply that compensation is out of balance. Organizations tend to not properly estimate the likelihood and costs of data breaches, particularly as compared to the compensation packages offered to the professionals that can stop them.
Threat researcher and ISACA correspondent Marcelle Lee further opined that there is too much of a focus on finding the absolute ideal candidate in cybersecurity hiring practices. She points out that though there is a shortfall in terms of meeting listed requirements for job openings, there is not so much of a shortfall in terms of available candidates. Lee chalks this up to classic HR biases and overly ambitious job listings that mandate far more specific technical skills than are actually necessary for the position. Organizations are often tripped up by something as simple as requiring a computer science degree when many professionals working in that specific role do not have or need one.
The employment shortfalls definitely skew to labor rather than management. 52% of the organizations surveyed said the biggest shortfall problems were in the area of technical staff, while 72% said that they currently have no C-suite openings for cyber security management roles.
In light of this, the earlier statistic regarding CISO preference is worth revisiting. While there are many good and capable CIOs out there, the cyber security trends survey findings correctly point out that the job is oriented more toward acquisition and management of IT elements for the company. Given that, a security focus can be too much added burden for a CIO to be expected to handle; at the very least it may not be in their training and experience wheelhouse. It is also quite possible that lack of security training and knowledge in the executive ranks is contributing to the seemingly widespread failure to disclose incidents properly.
With the exception of the sharp downswing in ransomware in the first quarter of 2019, the ISACA 2019 cyber security trends study reinforces much of what is already out there. The most worrying new element is the amount of underreporting of breaches that appears to be going on, even in parts of the world that have strong government regulations mandating disclosure of these incidents. It remains to be seen if legislation will ultimately have the desired effect, but in the interim it would appear that many organizations are still playing catch-up in a cyber crime landscape that is only becoming more pernicious by the year.