Cyber security: A work in progress

There is always a risk that cyber security surveys are simply designed to create headlines rather than provide a true reflection on what is really going on in the industry.

The truth is that, like most industries, change is relatively slow and most surveys provide just a snapshot of views and opinions from the front line. But now in its third year, the IISP survey of security professionals across a wide range of disciplines gives a more measured and mature view of the industry.

The figures show that over the past three years, those feeling that organisations are getting worse at defending against major cyber security breaches has doubled from 9% to 18%. However, in contrast, the number of businesses that feel better prepared to respond to and deal with incidents rose from 47% to 66% over the same period.

So, what do these figures show? The fact that more information security professionals feel that we are less able to protect our IT systems and data, no doubt reflects the difficulty in defending against increasingly sophisticated attacks from multiple threat actors combined with continued pressure on budgets. And coming on the heels of attacks such as WannaCry, may have left many in the security industry feeling that basic factors like patching are still not being picked up, and that not enough progress is being made.

The figures showing that respondents feel we are better prepared to respond to incidents suggests a realisation that breaches are inevitable – it’s just a case of “when” and not “if”. As a result, security teams are now putting increasing focus on systems and processes to respond to problems when they arise as well as learning from the experiences of others to build greater knowledge of what does and doesn’t work along with how to handle breaches and how not to.

Looking at the longer-term data, we can see there seems to be a trend away from simply keeping up, with the “getting better” group growing faster than the “getting worse” camp.

When it comes to investment, the survey suggests that for many organisations, the growth of the threat landscape is still outstripping the increases in budgets. The number of businesses reporting increased budgets dropped from 70% to 64% and businesses with falling budgets increased from 7% up to 12%.

Economic pressures and uncertainty in the UK market are likely to be restraining factors, while the demands of the General Data Protection Regulation (GDPR) and other regulations such as (Payment Services Directive (PSD2) and Networks and Information Systems (NIS) Directive are undoubtedly putting more pressure on limited resources to achieve compliance goals.

The IISP survey report also once again reinforces the problems of skills shortages with the number of respondents reporting a dearth of skills and citing it as a challenge, growing this year to 18%. This lack of skills is significant – with over twice the number (in percentage terms) of respondents highlighting it as a problem, compared with 2015.

This highlights the continued need for industry, government, academia and professional bodies like the IISP to continue to work to resolve these shortages in skills to a level where there is the right mix available to support security functions. There is also perhaps, a continuing need for security teams and managers to look at ways to work smarter and use technology better, as well as building and retaining expert teams.

While acting as a potential brake on capability, the skills shortage is also driving job prospects year-on-year, reflected in a growth of respondents in all the higher salary bands and in those reporting good job and career prospects.

The rate of advancement in technology in the wider IT systems and threat environment will also put more pressure on skills and resources. When asked about the impact and disruption caused by emerging technologies, respondents put the internet of things (IoT) and the rise of artificial intelligence (AI) at the top of the list.