Cybersecurity needs more cash and more people
- IBM and Ponemon Institute published their latest Cyber Resilient Organization Report
- Lack of people and lack of funding stand out as two key issues plaguing the enterprise security function
The lack of skilled personnel and underfunding in the cybersecurity area – those are two main themes that emerge from the Ponemon Institute/IBM Cyber Resilient Organization Report. We could argue that staff can only be attracted to cybersecurity roles with the promise of big salaries, and so those two themes could be regarded as one – but while that level of reductionism might be neater, it prevents deeper analysis.
According to the survey results, if organizations are looking to improve their cybersecurity posture, the two ways to make the fastest gains are to employ skilled personnel and to ensure adherence to data protection governance applicable in local territories. Those gains have been most realized over the last two years by those businesses and companies that were not classifiable as “high performing” when it came to cybersecurity.
The measure of cybersecurity breaches identified by the Ponemon Institute might alarm some readers. Incidents that made it into the survey were classified as “causing significant disruption,” or involved the loss of over a thousand personal records of customers or employees. That seems like setting the bar fairly high, considering cybersecurity personnel will be aiming to be 100% watertight. And over the last two years since the last survey of this type, there has only been a nominal fall in the number of such incidents.
The three main reasons quoted by survey respondents (there were 3,400 IT professionals involved) as to why things weren’t improving were lack of skilled personnel and resources (already mentioned), but also the existence of data silos. On that score, the problems seemed to stem from the multiplicity of cybersecurity tools and data, rather than from more general demarcation of data repositories between business functions: HR’s data not being amalgamated with Logistics’ data, for example, was not the problem.
Reducing the number of cybersecurity tools (rather than reducing the breadth of the total toolkit’s abilities) only provided marginal gains in better response times and effectiveness. The message appears to be one of targeted throwing of money at the issue — towards new personnel — rather than buying new, shiny toys. There were gains to be made by creating coherent interactions between different tools, the survey respondents felt. While the logic of this is irrefutable, that type of functionality might be most effectively achieved by working with what cyber teams already have, rather than sourcing “the one platform to rule them all.”
— Rhea Galsim is trying to be an advocate (@soundslikerhea) July 2, 2020
Like many others of its ilk, the survey has a proportion of obviousness – the need for better planning – and serves here to reflect, once more, on the lack of resources and budget available to most cybersecurity teams. Planning, and thus the production of “playbooks” for specific successful cyber threats takes time and, therefore, money.
The most common playbooks successfully in place were around DDoS and malware attacks, with pre-emptive activity such as anti-phishing measures receiving less resource allocation, according to the survey’s respondents.
Like many of the Ponemon Institute’s surveys and research papers, this latest example is sponsored by a commercial company. The intended take-home message of the survey is to buy something ‘AI-driven’ with the Big Blue stamp on it, but the real message is one that’s been heard countless times before, but often not listened to: cybersecurity teams need more cash and more people.