alphaspirit - Fotolia

Cyber security: A work in progress

Piers Wilson, director of the Institute of Information Security Professionals, reflects on the findings of the latest IISP industry survey and suggests there is still more work to do

There is always a risk that cyber security surveys are simply designed to create headlines rather than provide a true reflection on what is really going on in the industry.

The truth is that, like most industries, change is relatively slow and most surveys provide just a snapshot of views and opinions from the front line. But now in its third year, the IISP survey of security professionals across a wide range of disciplines gives a more measured and mature view of the industry.

The figures show that over the past three years, those feeling that organisations are getting worse at defending against major cyber security breaches has doubled from 9% to 18%. However, in contrast, the number of businesses that feel better prepared to respond to and deal with incidents rose from 47% to 66% over the same period.

So, what do these figures show? The fact that more information security professionals feel that we are less able to protect our IT systems and data, no doubt reflects the difficulty in defending against increasingly sophisticated attacks from multiple threat actors combined with continued pressure on budgets. And coming on the heels of attacks such as WannaCry, may have left many in the security industry feeling that basic factors like patching are still not being picked up, and that not enough progress is being made.

The figures showing that respondents feel we are better prepared to respond to incidents suggests a realisation that breaches are inevitable – it’s just a case of “when” and not “if”. As a result, security teams are now putting increasing focus on systems and processes to respond to problems when they arise as well as learning from the experiences of others to build greater knowledge of what does and doesn’t work along with how to handle breaches and how not to.

Looking at the longer-term data, we can see there seems to be a trend away from simply keeping up, with the “getting better” group growing faster than the “getting worse” camp.

When it comes to investment, the survey suggests that for many organisations, the growth of the threat landscape is still outstripping the increases in budgets. The number of businesses reporting increased budgets dropped from 70% to 64% and businesses with falling budgets increased from 7% up to 12%.

Read more about cyber security skills shortage

Economic pressures and uncertainty in the UK market are likely to be restraining factors, while the demands of the General Data Protection Regulation (GDPR) and other regulations such as (Payment Services Directive (PSD2) and Networks and Information Systems (NIS) Directive are undoubtedly putting more pressure on limited resources to achieve compliance goals.

The IISP survey report also once again reinforces the problems of skills shortages with the number of respondents reporting a dearth of skills and citing it as a challenge, growing this year to 18%. This lack of skills is significant – with over twice the number (in percentage terms) of respondents highlighting it as a problem, compared with 2015.

This highlights the continued need for industry, government, academia and professional bodies like the IISP to continue to work to resolve these shortages in skills to a level where there is the right mix available to support security functions. There is also perhaps, a continuing need for security teams and managers to look at ways to work smarter and use technology better, as well as building and retaining expert teams.

While acting as a potential brake on capability, the skills shortage is also driving job prospects year-on-year, reflected in a growth of respondents in all the higher salary bands and in those reporting good job and career prospects.

The rate of advancement in technology in the wider IT systems and threat environment will also put more pressure on skills and resources. When asked about the impact and disruption caused by emerging technologies, respondents put the internet of things (IoT) and the rise of artificial intelligence (AI) at the top of the list.

Cyber criminals exploiting AI

We have seen AI and machine learning used in defensive security systems for some time, and this is now starting to become part of a wider automation approach. But like the IoT, AI can also be exploited by cyber criminals, so we need to have the people and technologies to respond and mitigate these emerging risks. 

Whether it is the lack of skills to deal with increasing threats or the fact that many users still fall for scams and click on malicious links or open suspicious documents, one thing has been constant over the past three years.

When asked what the biggest problem is – people, process or technology – the results leave little room for ambiguity as to where the challenge lies, with 82% saying that cyber security is a people problem – consistent with the responses of the previous two years.

So, what can we conclude from three years of IISP surveys? The ongoing problem that security teams are trying to solve is clear. New attacks continue to emerge and new vulnerabilities are discovered and patched. Data volumes and technology reliance continue to increase and the burden often falls to a team with roughly the same headcount and budget as the year before.

Read more on Hackers and cybercrime prevention