Who Is Winning The Cyber War?

Uploaded on 2016-03-15 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

Who is winning the cyber war, the criminals and hackers or network and system defenders?  ISACA and RSA Conference wanted to answer this question so we conducted the second annual State of Cybersecurity study, which was released at the RSA Conference.

The data shows us that the answer is a bit unclear. Cyber attacks are still pervasive. We are still experiencing many of the same attack types that have plagued organizations for years. And it is increasingly difficult to hire fully capable cyber-practitioners and others who are part of the enterprise assurance and risk management network.

The good news is that executives and board members are very concerned. They recognize that cyber threats are harming the bottom line and that—if they want to deploy leading-edge technologies and offer new technology-based services and products—they need to ensure that security is designed in and that personal information is protected.

One-third of the 461 Cyber and information security specialists who participated in the study reported that their organization was a cyber-victim in 2016. While this is a high number in itself, an additional 20 percent did not know if their organization had been a victim. When asked about the frequency of attacks, the largest number (23 percent) reported experiencing cyber-attacks at least quarterly.

The most frequent attacks were phishing, malicious code incidents, physical loss of computing or mobile devices, and hacking.

As you might expect, the experience of attacks on a daily, weekly or monthly basis were reported less frequently. An alarming trend is that 54 percent of study participants did not know how frequently they experience cyber-incidents. While 73 percent believed they were able to detect and to respond to incidents, 42 percent felt they could only do so for simple attacks. In an era of increasingly sophisticated and persistent attacks, being able to identify and respond to attacks is imperative.

Board and executive concern and support for cyber activities are increasing. Eighty-two percent of security executives and practitioners participating reported that boards are concerned or very concerned about cybersecurity. This is not surprising given the higher level of awareness about cyber in general and the number of high profile attacks that we have recently seen.

Executive support for cyber is essential. We find that executive support for enforcing security policy (66 percent) and providing needed funding (63 percent). The challenge is that less than half of executives follow good security practices themselves (43 percent) or mandate cyber awareness (59 percent). Cyber is not only a technical problem. Many attacks target the weakest link, executives who do not follow good practices, and employees who are security unaware.

Technical solutions to address cyber threats are getting better. We have all witnessed how technology vendors are enhancing current products. New startup companies are bringing very exciting products to the market. These however will not solve the problem alone.

More important is the need to address the critical shortage of skilled cyber practitioners. Security executives are finding this difficult. The majority (54 percent) reported that it takes from three to six months to find a candidate. Less than half of these candidates (59 percent) are fully qualified on hire. Slightly more than 60 percent lack the required technical skills. Three quarters do not have the necessary understanding of the business to be effective. Slightly more than 60 percent do not have needed communication skills. Security will never be effective if new practitioners don’t have a strong technical understanding, the ability to address cyber-risks in business language, and if they cannot clearly and concisely communicate security issues.

While technology will help us meet cyber-challenges, it is also creating new opportunities for compromise. Cyber specialists are concerned about the rapid development of artificial intelligence products as well as the Internet of Things (IoT). We have all seen reports of advanced technologies, including medical devices and self-driving cars being hacked. More than half of those participating in the study are concerned or very concerned about the risk associated with the IoT. Forty-two percent believe that cyber risk associated with artificial intelligence will increase in the short term and 62 percent believe that risk will increase in the long term.

So, are we winning the cyber war? Not yet. We win some battles, but we are still plagued by attack types that have been long standing problems. We may not always be aware that we are being attacked, so we are too often late in responding. We are building our capabilities by deploying good technologies, but we don’t have sufficient skilled staff to bring to the battle. We still have too many leaders who say they support cybersecurity but do not consistently follow best practices or encourage cyber awareness in the enterprise.

To further complicate things, advanced technologies are expected to gain wide acceptance when we are still unsure about the risk they represent. The good news is that the challenges we are experiencing can be solved. We see increased attention to cyber by governments, research institutes and enterprise decision makers. Public awareness is increasing. Programs are being offered to solve the skill shortage. With skills-based training and performance-based testing, we are building the front line defenders and responders capable of engineering strong defenses and aggressive response plans.

Information-Management: http://bit.ly/1QMtYTr

« Recovered IS Document Reveal 22,000 Recruits
Communications Breakdown: CISOs & Company Boards »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

PETRAS IoT Hub

PETRAS IoT Hub

PETRAS is a consortium of 12 research institutions and the world’s largest socio-technical research centre focused on the future implementation of the IoT.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

Yelbridges

Yelbridges

Yelbridges is your reliable partner in all fields of IT-Security, from developing of Security Policies and Guidelines to the design and implementation of secure processes.

National Accreditation Authority Hungary (NAH)

National Accreditation Authority Hungary (NAH)

NAH is the national accreditation body for Hungary. The directory of members provides details of organisations offering certification services for ISO 27001.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

INFRA Security & Vulnerability Scanner

INFRA Security & Vulnerability Scanner

INFRA is a powerful platform with an easy interface for any kind of Ethical Hacking, from corporate monitoring and VAPT (vulnerability assessments and penetration testing) to military intelligence.

LTIMindtree

LTIMindtree

LTIMindtree is a new kind of technology consulting firm. We help businesses transform – from core to experience – to thrive in the marketplace of the future.

Epiphany Systems

Epiphany Systems

Epiphany enhances your defensive security controls by providing you with an offensive perspective. We expose the most likely attack paths to your most critical IT assets and users.

Anterix

Anterix

Anterix is focused on empowering the modernization of critical infrastructure and enterprise businesses by enabling private broadband connectivity.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

Ontinue

Ontinue

Ontinue ION is an MXDR service that provides Nonstop SecOps through five key capabilities that enable your organization to respond to attacks and continuously reduce risk.

DV Cyber Security

DV Cyber Security

DV Cyber (formerly A76) is an innovative cyber security company vertically focused on Threat Intelligence and Cyber Security Research.

Cypfer

Cypfer

CYPFER is a global market leader in ransomware post-breach remediation and cyber-attack first response.

AI Safety Institute (AISI)

AI Safety Institute (AISI)

The AI Safety Institute’s mission is to minimise surprise to the UK and humanity from rapid and unexpected advances in AI.

SentryMark

SentryMark

Stay a Step Ahead of Emerging Threats. Deviate from the traditional siloed defenses and get the proactive and responsive cybersecurity solutions and services you deserve with SentryMark today.