Halloween is supposed to that one day of the year when ghosts, goblins, and other supernatural threats are supposedly allowed to roam the land before the onset of the dark days of winter. Unfortunately, for cybersecurity professionals, every day feels like Halloween.
This week, ISACA, Capability Maturity Model Integration (CMMI) Institute and Infosecurity Group published a survey of 4,625 individuals involved in risk decisions asking about the biggest threats, risks, and fears in cybersecurity. The biggest boogeyman of all is the cloud, by a whopping 70 percent margin. In contrast, the next two closest cybersecurity fears are the Internet of Things (IoT), earning votes from 34 percent of respondents, and machine learning and artificial intelligence (AI), which received votes from 25 percent.
Risk managers are afraid of anything new
The top cybersecurity concerns cited by survey respondents are advances in technology (64 percent), changes in the threat landscape (60 percent), not having enough security personnel (52 percent), and missing skills in existing cybersecurity team personnel (51 percent).
Over the next 12 months, risk managers expect to see more of the same. Changes and advances in technology (63 percent) and changes in types of threats (61 percent) continue to be at the top of the list of concerns, followed by increased number of threats and/ or increased frequency of threat occurrence (52 percent).
Risk management processes are far from mature
While the majority have implemented fundamental risk management steps such as assessment (85 percent) and risk identification (81 percent), only 63 percent report having defined processes for risk identification. Only 38 percent said their organizations have processes at either the managed or optimized level of the maturity spectrum for risk identification. Results for risk assessment maturity were similar, with 42 percent at the managed or optimized level compared to 64 percent that have defined processes.
Despite that lack of maturity, 80 percent said they have awareness training in place, followed by 68 percent that employ disaster recovery strategies and 67 percent that employ generic governance controls to reduce risks.
Nevertheless, 41 percent have trouble assessing cybersecurity risks, while 42 percent have issues measuring cybersecurity risks. Nearly half have issues mitigating risks as well. Only 35 percent have a defined cybersecurity risk tolerances for their organization.
More telling, well more than half (60 percent) of organizations can put mitigations in place once a new vulnerability or threat is identified within three months. Only 31 percent said they can respond in less than one month. Half of the survey respondents also believe their organization has been impacted either significantly or moderately by nation-state sponsored attacks.
Clearly, organizations have a compelling need for external cybersecurity expertise. Not only can managed security service providers (MSSPs) respond faster to new threats, they can also instill confidence in their customers by helping them to define a set of processes for not just identifying potential cybersecurity threats, but also how to respond to them effectively.
There will never be such a thing as a perfect security process. However, the more anyone is prepared for any threat, the less every day starts to feel like just another Halloween.