Olivier Le Moal - stock.adobe.co
Just over a third (35%) of global organisations do not have a cyber security expert in-house despite almost all (95%) CIOs expecting cyber security threats to increase.
The finding is from Gartner’s 2018 CIO agenda survey, which questioned more than 3,000 CIOs in 98 countries.
The lack of in-house expertise is a concern as organisations are struggling to keep up with and predict how cyber criminals will attack, the survey found.
“In a twisted way, many cyber criminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data,” said Rob McMillan, research director at Gartner.
“CIOs can’t protect their organisations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it.”
The survey found that 35% of organisations have invested in and deployed some digital security, and 36% are experimenting or planning to do so in the short term. Gartner said that, by 2020, 60% of security budgets will be used to boost detection and response capabilities.
But McMillan said raising budgets alone does not reduce risk. “Security investments must be prioritised by business outcomes to ensure the right amount is spent on the right things,” he added.
Gartner waned that risks will also increase as CIOs target growth and increased market share, which the survey found is the top priority for CIOs this year.
“Growth often means more diverse supplier networks, different ways of working, funding models and patterns of technology investing, as well as different products, services and channels to support,” said McMillan.
“The bad news is that cyber security threats will affect more enterprises in more diverse ways that are difficult to anticipate. While the expectation of a more dangerous environment is hardly news to the informed CIO, these growth factors will introduce new attack vectors and risks that they’re not accustomed to addressing.”
The current skills shortage is also a big problem for CIOs. A recent survey from the Institute of Information Security Professionals (IISP) highlights the problem of skills shortages, with respondents reporting a lack of skills as a main challenge, growing to 18%, up from just 8% in 2015.
Read more about cyber security skills shortage
- Demand for cyber security skills outstrips internal supply, research finds.
- An anti-millennial recruitment stance will widen cyber security skills gap, experts warn.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, says security industry panel.
- Information security professionals need to grow their skills, engage with the business, increase security awareness and set business goals and tailor their messages, say experts.