RSA conducted a survey with the assistance of ISACA to help determine the current state of cybersecurity and what the implications for the future will be. First, Jennifer Lawinski from RSA provided information on the top topics for this year’s conference. There were 10 common phrases used in RSA speaking submissions for 2016:
- Internet of Things
- Industrial controls
- AI and machine learning
- The role of the researcher
- Healthcare and auto industry
- Security and the board
- Privacy and the role of legislation
- The inevitability of a breach
After discussing a few of these topics briefly, Ron Hale, chief knowledge officer for ISACA, provided the results of the survey. Here are some of the findings:
- 33.4% of respondents said they had been the victim of an attack in the last year, while 17.68% said they were not sure. I find this number more startling than the number that had been attacked. To not even know that you’ve suffered an attack suggests you don’t have any detection in place.
- When asked what was the likelihood of being attacked (not breached), 74.24% said it was likely or very likely. My thought: it should probably be 100%, as just about every business is under attack at some point – whether from phishing, malware or an active attempt to exploit a vulnerability.
- When asked if their company had the ability to detect and respond to attacks, 31.41% said yes, leaving the majority without a way to tell if there is an active attempt at breaching them.
- What is encouraging is that 82% of respondents said that their board is concerned or very concerned about cybersecurity, which means they can take action. However, it is the responsibility of security teams to make sure the board is focusing on the right areas.
There were a number of other statistics provided, but these were the most interesting. If you want to see the full presentation, you can do so here: https://www.rsaconference.com/events/us16/agenda/sessions/2741/state-of-cybersecurity-2016-findings-and
Another area that this survey covered was the security skills gap. According to the report, it takes 53.7% of companies between three and six months to fill a position. This is in part because they are looking for employees who do not require any training. In the past (and this is true in almost all industries), companies expected to train employees and for it to take several months to get them up to speed after they were hired. This was even the case with highly educated employees. Some training was always required. But now, employees are expected to already have the knowledge needed to perform. I wonder if instead of taking three to six months to find an employee, would it better to have more lax job requirements, hire quickly and then use that three to six months on training?
The survey also listed the skills that are generally required
- Technical skills – 60.9%
- Business understanding – 75.3%
- Communication skills – 61.1%
With such a heavy emphasis on business and communication skills, I also wonder if it would be more efficient to hire business experts who can speak the language of business and understand business needs and train them on the technical side. I suppose it depends which training is more difficult. I think that having the ability to communicate well and think strategically is more difficult than technical skills. Those are almost innate personality attributes that are hard to teach. There are people who are more technically inclined, but for the most part, people can learn technology if they want to.
Closing the skills gap is going to be a major challenge for the security industry, which is why it is necessary for us to open the doors to demographics that were traditionally discouraged from going into security and technology.