The new report suggests that almost half of the cybersecurity experts will end up switching their professions, and that by year 2025, lack of skills and human failure would ultimately be the reason for over half of significant cyber incidents in the coming future.
According to Deepti Gopal, director analyst at Gartner, professionals who are currently leading in the field of cybersecurity are in fact burning the candle at both ends to balance technology, business and environmental requirements in an attempt to maintain and improve their firm’s security.
“While they are in the rush to achieve this they are really spread thin[…]If you look closely at today’s world, the hybrid work environment is everything; that also impacts the cybersecurity leaders, adding complexity to their work and the way they strategize,” she says.
The "work life harmonization" employed by IT, she continued, dissolves the line separating work and non-work, especially given that both are located in the same place.
“If you listen to cybersecurity leaders, you’ll hear things like ‘I start my day with work, emails, alerts, and coffee,’ and ‘I work with a group of All Stars who are always available, they don’t complain about the workload. These are all elements that indicate the presence of high stress, high demand,” Gopal said.
“But, there is a loss of control or inability to have a sense of control on their work-related stress — the inability to protect their time for the things that matter the most. I like to ask leaders to jot down the things that they absolutely do in the coming week and then look at their calendars, most often they tell me that they haven’t carved out any time for the tasks on their list!” she adds.
Gartner research illustrates how the compliance-based cybersecurity programs, low executive support and subpar industry-level security are all signs that a company does not consider security risk management to be essential for commercial success.
According to Gopal, such enterprises are likely to lose cybersecurity talent to businesses where they are valued and are better recognized. “When the organization is charged to move fast, there will be situations where security is not top of mind; that needs to change,” Gopal said. “We need to see cybersecurity as intrinsic to digital design.”
According to Paul Furtado, vice president analyst at Gartner, the 'talent churn' of cybersecurity professionals as well as other professionals in the IT industry is a security risk since it gives rise to the possibility of insider misconduct.
“The cybersecurity workforce is a microcosm of society and made up of individuals who respond differently to different stress triggers[…]For some, they will leave their employment gracefully without any disruptions,” Furtado said. “Others may feel that the artifacts they’ve created or contributed to are their personal intellectual property, and therefore, they take a copy. Some may feel that they want to exfiltrate some data that may assist them in their next role with a different employer,” he continues.
Moreover, there also exists a possibility that individuals may well attempt actions, beyond theft to commit acts of sabotage or complete disruption of system or data, regardless of the position they hold in an organization.
“The reality is that security leaders must be prepared for each of these occurrences; there are numerous examples where these behaviors have occurred[…]The scary part: In some cases, insiders won’t wait for a layoff or resignation to start some of these behaviors,” Furtado says.
Furtado further advises that an organization must be well prepared against insider risks, since it is critical to prevent it from becoming an ‘actual insider threat event.’
In a survey of 500 IT security experts, Exabeam researchers discovered that nearly two-thirds of their respondents (65%) prioritize prevention over detection as their number one endpoint security objective. For the remaining third (33%), detection remained their utmost priority.
To make the situation worse, the businesses actually act on this idea. The majority (59%) allocate the same amount to detection, investigation, and response, while nearly three-quarters (71%) spend between 21% and 50% of their IT security resources on prevention.
According to Steve Moore, chief security strategist at Exabeam, the issue with this strategy is that the businesses concentrate on prevention while threat actors are already there, rendering their efforts useless.
“As is well known, the real question is not whether attackers are on the network, but how many there are, how long they have had access and how far they have gone[…]Teams need to raise awareness of this question and treat it as an unwritten expectation to realign their investments and where they need to perform, paying due attention to adversary alignment and response to incidents. Prevention has failed,” says Moore.
The majority of responders said yes when asked if they are confident, they can prevent attacks. In fact, 97% of respondents indicated they felt confident in the ability of their tools and processes to detect and stop attacks and data breaches.
Only 62% of respondents agreed when asked if they could easily inform their boss that their networks were not compromised at the time, implying that over a third were still unsure.
Exabeam explains that security teams are overconfident and have data to support it. The company claims that 83% of organizations experienced more than one data breach last year, citing industry reports.
Among the many approaches implemented in order to combat security affairs, most organizations appear to be inclined towards the prevention-based strategy. The reason is, it strives to make systems more resistant to attack. Contrary to detection-based security, this approach is more effective in a variety of situations.
Implementing a preventive approach could aid a company in significantly reducing the risk of falling prey to a potential cyberattack if it applies appropriate security solutions like firewalls and antivirus software and patches detected vulnerabilities.