So what keeps you up at night? If you are a Chief Information Security Office for a major company, it may be the anxiety of losing your job should your employer fall victim to a cyber attack such as a data breach. This was one of the worrisome statistics outlined in the Ponemon Institute’s Megatrend Study that was publicized earlier this year. The many cyber incidents that have dominated the headlines and media outlets over the past couple of years appears to be taking its toll on CISO’s and other C-Suite executives.
The study involved 612 CISOs, CIOs, and other information security professionals.
- An astounding 45% stated that they worry about losing their jobs in the aftermath of a major cyber attack.
- This seems understandable since 67% expect a data breach or similar type of cyberattack in 2018, up from 60% who expressed this expectation in 2017.
These apprehensions are not singular to US-based industry professionals. A survey conducted at Infosecurity Europe 2017 showed similar results. In this study, security professionals were asked which company position was most responsible in the event of a company data breach.
Of the respondents,
- 40% believed that the CEO would be first on the firing line
- followed by the CISO (21%)
- “Other” (15%)
- CIO (14%)
Recent examples of forced departures include the resignation of Equifax CEO Richard Smith after the disclosure of the massive breach. At Uber, three senior managers in the security unit resigned in the aftermath of the disclosed cover-up in which Uber paid a hacking group to delete the records seized by the perpetrators in a massive data breach involving over 50 million drivers and passengers. Other examples of high-level firings include companies such as Austrian aerospace manufacturer FACC, Sony, Target and Home Depot.
In addition, the public clearly feels that companies should take the hit for data breaches that involve their personal information. In a recent survey of 9,000 consumers surveyed in Australia, Benelux, France, Germany, Russia, UAE, Saudi Arabia, India, Japan, United Kingdom, and the United States, 70% of respondents assign the responsibility of protecting and securing customer data lies squarely with the companies themselves.
The Ponemon Study clearly shows that the stress of cybersecurity is taking its toll amongst CISOs. Not only do the majority of them feel a cyber attack is imminent, but 66% say that they expect their job to get more stressful in the coming twelve months. More concerning is the fact that
- 44% indicated that they planned to make a lateral move in their organization outside of IT security
- and 40% plan to simply change careers entirely.
So what has C-Suite IT Security executives so anxious?
Certainly, the publicity over cyber attacks such as data breaches and ransomware have turned up the heat for these executives. Information overload and increased regulations are also contributing as well. Besides these atmospheric changes, the Ponemon Study outlined some specific concerns expressed by the respondents.
- 70% of respondents said the most probable cause of a data breach was a lack of competent in-house staff.
- 64% of respondents state that a lack of in-house expertise would likely result in a data breach. The chronic shortage of cybersecurity talent is labeled an epidemic according to some industry analysts. One leading information security advocacy group predicts there will be a global shortage two-million security professionals by 2019. Most industry analysts put the number somewhere between 1.5 and 2 million.
- 47% worried about a potential breach due to their organization's failure to secure IoT devices. The inability to properly secure mobile devices were of nearly equal concerns.
- 56% cited the inability to keep up with increasingly sophisticated cyber attacks
- One-third of the respondents attributed the concern to inadequate funding.
- 40% reported that their IT security budgets remained flat last year despite the mounting risk threats while 23% expected a smaller budget for the coming twelve months.
A major concern outlined in the report was the inability to prepare for new types of threats long term due to the bombardment of daily threats and attacks. Malware and phishing attacks continue to be top concerns as phishing remains the primary delivery agent for malware generated data breaches and ransomware attacks. The ability to completely secure the user email experience is a top priority. Besides the implementation of security tools such as modern-day email and web filtering, cybersecurity needs to become a practiced culture within every organization. Until it is, the stress for top-level IT security executives is sure to remain high.