In two separate surveys, one by Gartner and another by Wire, the figure of 35 percent of respondents came up for both the number of organisations with no cyber-security expert - and the number who did not know how their organisations protect sensitive information, communications or data.
Gartner’ 2018 CIO Agenda Survey notes that the low figure for cyber-security experts is despite 95 percent of CIOs expecting cyber-threats to increase over the next three years. These skills shortages are impacting digitalisation, with digital security staffing shortages considered a top inhibitor to innovation.
Some 3,160 CIO respondents from 98 countries were surveyed by Gartner, with cyber-security identified as a source of deep concern for organisations who struggle to anticipate criminal activities and tactics.
Rob McMillan, research director at Gartner commented: "In a twisted way, many cyber-criminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data." He adds, "CIOs can't protect their organizations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it."
Thirty-five percent of survey respondents report already investing in and deploying some aspect of digital security and 36 percent are actively experimenting or planning to implement in the short term. Gartner predicts that 60 percent of security budgets will be in support of detection and response capabilities by 2020.
McMillan adds that companies should take a risk-based approach and prioritise investment for business outcomes to ensure the right amount is spent on the right things. But the top priority for the organisations themselves is growth, which itself will introduce new attack vectors and new risks that organisations are not accustomed to addressing.
93 percent of CIOs at top-performing organisations say that digital business has enabled them to lead IT organisations that are adaptable and open to change, which benefits security practices - though cyber-security skills shortages are generally seen as and inhibitor of innovation.
Piers Wilson, head of product management at Huntsman Security emailed SC Meda UK to comment: "Gartner’s findings are quite shocking but captures the heart of a worldwide problem: the frequency, severity and sophistication of attacks is growing faster than organisations can keep up. By next year, ISACA predicts a global shortage of two million cybersecurity professionals, so it’s no wonder that so many organisations are radically understaffed in this area. On top of that, for those companies that do have cyber-security teams, the incredible workload is likely to lead to burn-out, mistakes or vital warning signs being overlooked - all of which increases the likelihood of a successful attack. This emboldens attackers further – creating a vicious spiral of ever-increasing assaults.
"Technologies like automation and machine learning can help lift some of the burden but the bottom line is that companies simply have to invest more in making their security team more efficient and effective - training staff and investing in automation and analytics will be a necessary strategy. Otherwise businesses are trying to protect themselves with one, or both hands, tied behind their back."
Andy Norton, director of threat intelligence at Lastline agrees, emailing SC Media UK to observe: "To diligently counter intrusions, organisations need timely access to expertise in order to manage risk. The current levels of data breaches show that there is a significant amount of unmitigated risk due to the skills shortage and lack of appropriate relevant intelligence.
"Organisations must embrace AI that is adversary resistant, just like a human expert would be, to provide the analytics to automate prevention and response countermeasures based on an coalesced array of signature, behavioural and anomaly detection technologies."
But while Artificial Intelligence (AI) may be promoted as the answer to the skill shortage, a new report by PWC says it will create as many jobs in the UK as it will displace over the next 20 years. However, this led Farida Gibbs, CEO and founder of Gibbs Hybrid to ask, what if there are not enough people to fill these vacancies? She noted how PWC analysis showed that the fourth industrial revolution will favour those with strong digital skills, as well as capabilities like creativity and teamwork which machines find difficult to replicatewith 63 percent of CEOs currently worried about the lack of talent to stay competitive in the digital age. Gibbs commented: "As the demand for people with digital skills increases, many firms make the mistake of hiring IT experts without first understanding what they need for tech advancement.
"With so much technology out there, it is difficult for firms navigating change to cut through the noise. Having access to ‘ready-made’ digital teams as needed allows firms to tap into the right expertise. It’s almost like having a menu where they can pick and choose a PROJECT team which will be best able to cater to their specific business requirements. Firms can stay competitive and keep up with the digital age, taking advantage of on-demand digital teams to cut costs, mitigate risk and accelerate change."
The problems caused by these skill shortages are not in the future, but here now as Wire found in a survey report on GDPR polling top executives, and IT Managers across the UK, US and Germany, looking at how companies handle what they consider to be sensitive information, awareness of the risks of GDPR compliance, and how many have systems to protect it.
Wire says its research indicates a large degree of corporate ignorance or unpreparedness towards GDPR and securing their data and communications, at a time when it is more critical than ever to do so.
Key findings include:
One in three (35 percent) of respondents in the UK admitted that they were unaware of how their organisations are protecting its sensitive information, communications or data – which was still better than both the US (43 percent) and Germany (41 percent).
32 percent of UK respondents are unaware or unsure about the new GDPR, compared to 42 percent of German and 76 percent of US companies respectively.
72 percent of UK respondents regularly handled sensitive information (the most of all regions), yet 44 percent of these communicate sensitive data through email
Only 9.3 percent (UK), 6.1 percent (US), and 23.1 percent (DE) of respondents accurately stated how much GDPR compliance could cost their organisation in global annual revenue.
The conclusion by Wire was that employees are either not being given the tools to protect their data or don’t know how to use these tools properly, and since they are unaware of the costs of a breach under GDPR potentially lack the motivation to protect themselves and their company. "When this is combined with insecure third parties who data gets shared with and insecure communications practices, we are left with fines waiting to happen," says a company statement.