RSA conducted a survey with the assistance of ISACA to help determine the current state of cybersecurity and what the implications for the future will be. First, Jennifer Lawinski from RSA provided information on the top topics for this year’s conference. There were 10 common phrases used in RSA speaking submissions for 2016:

  1. Internet of Things
  2. Industrial controls
  3. Encryption
  4. AI and machine learning
  5. Crowdsourcing
  6. The role of the researcher
  7. Healthcare and auto industry
  8. Security and the board
  9. Privacy and the role of legislation
  10. The inevitability of a breach

After discussing a few of these topics briefly, Ron Hale, chief knowledge officer for ISACA, provided the results of the survey. Here are some of the findings:

  • 33.4% of respondents said they had been the victim of an attack in the last year, while 17.68% said they were not sure. I find this number more startling than the number that had been attacked. To not even know that you’ve suffered an attack suggests you don’t have any detection in place.
  • When asked what was the likelihood of being attacked (not breached), 74.24% said it was likely or very likely. My thought: it should probably be 100%, as just about every business is under attack at some point – whether from phishing, malware or an active attempt to exploit a vulnerability.
  • When asked if their company had the ability to detect and respond to attacks, 31.41% said yes, leaving the majority without a way to tell if there is an active attempt at breaching them.
  • What is encouraging is that 82% of respondents said that their board is concerned or very concerned about cybersecurity, which means they can take action. However, it is the responsibility of security teams to make sure the board is focusing on the right areas.

There were a number of other statistics provided, but these were the most interesting. If you want to see the full presentation, you can do so here:

Another area that this survey covered was the security skills gap. According to the report, it takes 53.7% of companies between three and six months to fill a position. This is in part because they are looking for employees who do not require any training. In the past (and this is true in almost all industries), companies expected to train employees and for it to take several months to get them up to speed after they were hired. This was even the case with highly educated employees. Some training was always required. But now, employees are expected to already have the knowledge needed to perform. I wonder if instead of taking three to six months to find an employee, would it better to have more lax job requirements, hire quickly and then use that three to six months on training?

The survey also listed the skills that are generally required

  • Technical skills – 60.9%
  • Business understanding – 75.3%
  • Communication skills – 61.1%

With such a heavy emphasis on business and communication skills, I also wonder if it would be more efficient to hire business experts who can speak the language of business and understand business needs and train them on the technical side. I suppose it depends which training is more difficult. I think that having the ability to communicate well and think strategically is more difficult than technical skills. Those are almost innate personality attributes that are hard to teach. There are people who are more technically inclined, but for the most part, people can learn technology if they want to.

Closing the skills gap is going to be a major challenge for the security industry, which is why it is necessary for us to open the doors to demographics that were traditionally discouraged from going into security and technology. 

About Jessica Lavery

Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.

Comments (4)

willc | March 4, 2016 8:23 am

"To not even know that you’ve suffered an attack suggests you don’t have any detection in place."

That's not necessarily the only conclusion that can be drawn. I can have all the protection in place that money can buy, and it's still reasonable to assert that I don't know if I've been attacked. Just consider the Advanced Persistent Threat.

Jessica Lavery | March 7, 2016 9:35 am

@WillC - the argument wasn't that being breached means that you don't have protection. On the contrary, and to your point. you could have all the best protection solutions in place, configured correctly and optimally and still suffer a breach! That's why DETECTION is also necessary. Detection helps tell you when you have a breach. The point is, you need both protection to help prevent as best you can, and detection for if you are breached.

Alok Kumar | March 13, 2016 9:41 am

Very nice blog with good information. Cyber security is the most important thing for any business. Cybercriminals were able to access the information off of the IRS database by matching a bot that steals PINs and matching it with personal information collected elsewhere. PINs are used by taxpayers to authenticate their online access. With the combination of social security numbers and PINs, cybercriminals could fraudulently collect tax refunds from unsuspecting taxpayers.

Greg J. Sutton | March 14, 2016 5:32 pm

Thank you for providing useful statistical information here!
As it turned out, the cyber security is on the lower level then it was expected. Good news that we know that and can apply some activity to fix it.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.