The Ivanti Threat Thursday Update for December 7, 2017: A Skills Gap? Or a Skills Chasm?

Greetings and welcome. This week, new survey results indicate the cybersecurity skills gap is persistent, tenacious, and likely growing. Got relevant opinions, reactions, and/or suggestions? Feel free to share. Thanks in advance.

Survey: The Cybersecurity Skills Gap is Real – and Really Troubling

Research conducted jointly by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) indicates that the cybersecurity skills gap is widening, and its effect on businesses is growing.

  • For their second annual joint study of “The Life and Times of Cyber Security Professionals,” ISSA and ESG interviewed some 343 respondents from around the world. The top three contributing factors to cybersecurity threats and vulnerabilities cited by those respondents? Lack of training of non-technical employees (cited by 31 percent), lack of adequate cybersecurity staff (22 percent), and “business executive management making cyber security a low priority (20 percent).”
  • Some 70 percent of respondents believe the cybersecurity skills shortage has affected their organizations. However, 62 percent also believe their organizations “are falling behind in providing an adequate level of training” for their professionals, a rise of almost 10 percent from last year’s study.
  • Respondents also highlighted specific areas in which skills are lacking at their organizations. The two top areas? Security analysis and investigation skills and application security skills, each cited by 31 percent of respondents.
  • “Survey respondents say the number one cyber security challenge is the cyber security staff being understaffed for the size of their organization (29 percent).” Respondents also said their organizations need to improve aligning cybersecurity and business goals, formalizing and documenting cybersecurity practices, and recruiting IT and business professionals “to bridge the cyber/business gap.” Such recruiting faces significant obstacles, however – 49 percent of respondents say they are contacted by recruiters about other jobs at least once a week.

What We Say: No amount of recruiting will ever completely close the cybersecurity skills gap at every – if at any – organization. The challenges to effective cybersecurity are too numerous and evolving too quickly to be solved by “throwing people at the problem,” even if such people can be found. Your organization needs to ensure that it has tools in place that automate and rationalize critical cybersecurity processes, and that maximize protections while minimizing your exposure. Fortunately, starting with basics such as comprehensive patch and privilege management and application whitelisting can significantly improve cybersecurity. They can also help get your organization closer to defense in depth that is also aligned with business goals. (See “7 Essential Real-World Security Questions to Ask Today” (Parts 1 and 2), and “What to Do BEFORE All Hell Breaks Loose: Cybersecurity for Today’s Extreme Threats.”)

Survey: Industrial Companies Just Don’t Get Cybersecurity – Yet

Many industrial companies are eagerly pursuing modernization and digital transformation initiatives, under banners such as “Industry 4.0” and “Smart Manufacturing.” Yet recent research indicates that many of these companies are woefully unprepared for the cybersecurity threats likely to grow and multiply as such enterprises become more digitally connected.

  • As reported by ZDNet, Honeywell Industrial Cyber Security sponsored a survey of 130 industrial companies conducted by LNS Research. That survey, “Putting Industrial Cyber Security at the Top of the CEO Agenda,” found that 53 percent of those companies have experienced at least one cybersecurity breach. Yet 63 percent “do not monitor for suspicious behavior, and 45 percent do not even have a cybersecurity expert or manager in place.”
  • “In addition, 25 percent of those surveyed said they never conducted penetration testing, while 13 percent said this practice – which can discover holes in network security before attackers do – occurs less than once every 12 months.”
  • Industrial companies are increasingly focused on the so-called “Industrial Internet of Things (IIoT)” – a combination of “sensors, Internet of Things (IoT) devices, embedded connectivity in control components, and data analytics.” While the IIoT can improve industrial processes, it also creates more opportunities for cybersecurity vulnerabilities and breaches. “Together with long upgrade cycles commonly found in industry, businesses may be setting themselves up for a cybersecurity incident.”

What We Say: In fewer than 10 days this June, WannaCry forced a Honda plant to halt production and NotPetya locked employees out of radiation monitoring systems at Chernobyl. The cybersecurity clock is already ticking at those industrial companies that have not yet experienced a significant breach. As is true beyond industrial and manufacturing concerns, cybersecurity must be an integral part of any modernization or digital transformation efforts. To pursue such initiatives without a laser-like focus on cybersecurity is to attempt to build a business on a foundation almost guaranteed to be attacked successfully, sooner or later. For maximum benefit, cybersecurity efforts must extend beyond knowledge workers, and embrace every part of the business, from the warehouse to the factory floor. (See our supply chain blog posts and “Ransomware: It’s About Much More Than Money.”)

Achieve Defense in Depth with Ivanti

Ivanti can help your enterprise improve its defenses against cybersecurity attacks, whatever business your enterprise pursues. Patch your client and server systems more easily and consistently. Fight malware attacks more effectively, and recover from successful threats more quickly. Control users’ applications, devices, and admin rights, while delivering the access they need to do their jobs. Modernize your supply chain and make your warehouse employees more agile and productive. And more.

Check out our cybersecurity solutions online. Then, contact Ivanti, and let us help you bring effective, multi-layered cybersecurity to your organization. (And do please keep reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates.)