The line between all the cybersecurity attacks being launched and the defenses put in place by most organizations today is very thin indeed. A new survey of 1,200 C-suite leaders and information security and IT executives published by EY, formerly known as Ernst & Young, finds that 89 percent of the respondents admit their cybersecurity requirements are not being met.
The survey also finds that 87 percent of the respondents say they need more than a 50 percent increase in budget to meet those requirements. However, only 12 percent say they expect to see a 25 percent or more increase in their cybersecurity budgets in 2018.
The good news is that 58 percent of the respondents did say their cybersecurity budget increased in that last 12 months prior to the survey being conducted. In addition. Over half (56%) note they have either made changes to their strategies and plans to take account of the risks posed by cyber threats, or that they are about to review their strategy. But only four percent are confident they have fully considered the information security implications of their current strategy.
Cybersecurity issues that need to be addressed span everything from the ability to identify vulnerabilities (75%) to identity and access controls (38%), and data protection policies (35%). Nearly half the respondents (48%) also revealed they do not have a security operations center (SOC) or a formal threat intelligence capability (57%). Only 12 percent said it is likely they would be able to detect anything approaching a sophisticated cyberattack.
The fundamental cybersecurity issue most organizations are trying to balance comes to down to competing priorities. Most IT security budgets are only a percentage of the overall IT budget, which in turn is usually a single-digit percentage of overall revenues. The amount of money allocated to IT security has certainly increased as a percentage of IT budgets in the last year. But IT security remains costly to maintain. IT organizations clearly need to focus more of their time and energy implementing security solutions in the coming year that take advantage of automation and artificial intelligence (AI) to both improve IT security while simultaneously reducing total costs. The hope is that nothing too catastrophic happens between now and when organizations have the time and resource available to strengthen their IT security defenses.
Alas, much of this discussion is disturbingly familiar to most seasoned cybersecurity professionals. Every day now for years most of them have been going to work with a queasy feeling in the pit of their stomachs. Most have dealt with several major incidents having various levels of impact on their organization. Despite those well-documented events, most organizations continue to bet the rewards associated with implementing new IT projects still outweigh any of the cybersecurity risks. That’s probably a good thing for the IT industry. But it does leave many cybersecurity professionals wondering if it’s now only a matter of time before something truly catastrophic occurs.
Savvy cybersecurity professionals realize there’s not much to be gained by constantly reminding their colleagues that the sky could fall any minute now. But there is at least some comfort to be gained from the fact that going into 2018 they are not the only ones feeling a little more than uneasy.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for SmarterMSP.