Perfect storm: Not only is the volume and complexity of cyberattacks increasing, but there's also a lack of resources necessary to hire skilled personnel.
Perfect storm: Not only is the volume and complexity of cyberattacks increasing, but there's also a lack of resources necessary to hire skilled personnel.

IT security leaders are facing a perfect storm of challenges: Not only is the volume and complexity of cyberattacks increasing, but a lack of resources necessary to hire skilled personnel to combat the threat landscape is exacerbating organizations' capacity to stay up to date with the activity of threat actors.

In fact, 80 percent of security leaders surveyed for the second installment of ISACA's "2017 State of Cyber Security Study," said "it is likely" that their businesses will be hit with a cyberattack this year, with more than half (53 percent) reporting a year-over-year increase in cyberattacks in 2016.

This illustrates a combination of changing threat entry points and a realignment of the types of threats, said the annual survey from the global business technology association.

For instance, Internet of Things rose to become a primary focus for cyber defenses, surpassing mobile, as nearly all organizations (97 percent) experienced a rise in the use of these devices.

As well, ransomware emerged in 2016 as a major threat: 62 percent of those surveyed said their organization was affected. The significance for security practitioners, ISACA warned, is that only 53 percent have protective measures in place to guard against it.

Malicious attacks, too, continue to interfere with business operations – impairing data – with 78 percent of enterprises surveyed saying they were victims of attack.

And, pointing out the lack of security preparedness, the ISACA survey found that less than a third of organizations (31 percent) reported that they routinely test their security controls, with 13 percent saying that never test them and 16 percent saying they do not have an incident response plan.

One of the survey's key findings was the sore lack of skilled personnel. Enterprises reported not only an inadequare supply of qualified applicants, but even many of those already on staff lacked essential skills and training to fight off cyberattacks.

While cybersecurity is a priority in the C-suite, obstacles for those charged with protecting their enterprise networks remain, according to ISACA's analysis of its survey results.

"Without the appropriate investments in people and technology, enterprises become increasingly vulnerable to a threat landscape that is growing in both volume and complexity," Rob Clyde, board director of ISACA and executive chair of White Cloud Security, told SC Media on Tuesday.

ISACA's report, he pointed out, showed that fewer than half of organizations are confident in their security team's ability to handle anything beyond simple cyber incidents. "This is untenable given the potentially debilitating consequences of a cyberattack, and a direct result of insufficient investment in building security teams armed with the necessary technical skills and resources to deal with the expanding attack surface."

Moreover, he added, the report showed that only 27 percent of organizations planned to spend $2,500 or more on training per person for cybersecurity in 2017. "Given the tight labor market for cybersecurity professionals, this inadequate budgeting is unlikely to effectively address the needed level of cyber expertise," Clyde said.

Security pros need to frame their requests in business terms that describe the security program's specific impact on the organization, both in terms of opportunity and risk, Clyde told SC. "CISOs can be a powerful resource in making that business case to the board, and on that front, the State of Cyber Security had some encouraging results, as 65% of respondents indicated their organization had a CISO – up 15 percentage points from the year before."

He added that respondents also indicated that the biggest skills gap they see right now is a lack of business understanding. "When possible, prospective CISOs should seek to gain business experience by leading other parts of the organization as opposed to just cybersecurity."

Budget allocations are not helping matters. Although the survey reported that cybersecurity budgets remain strong, fewer of them are devoting larger outlays to their security programs. In fact, the percentage of budget increases will fall by 10 percent at organizations, the survey determined.

ISACA's "State of Cyber Security Study 2017" is available as a free download here [registration required].