One of the biggest issues with cybersecurity today is that business executives and IT staff can’t seem to find common ground when it comes to agreeing how well the organization is prepared to fend off a cybersecurity attack.
A survey of 500 business and IT professionals published this week by CompTIA shows just how far these two camps are. A full 55% of executives and 61% of business staff rated the level of cybersecurity in place as being completely satisfactory, while just 35% of the IT personnel felt the same way. The same survey also finds 91% of executives and business staff said there is a strong understanding of cybersecurity within their company, a sentiment only 78% of the IT staff shared.
Nevertheless, the CompTIA survey finds 45% of companies are completely satisfied with their current cybersecurity readiness, up from just 21% in 2017. Many of those companies appear to have also increased their investments in metrics to evaluate cybersecurity performance to make that case. The survey finds there has been a sizeable increase in the number of companies making “heavy” use of cybersecurity metrics. Well over a third (39%) now make heavy use of cybersecurity metrics, up from 21% a year ago.Survey: 48% of small companies adopt #infosec and compliance metrics faster than larger organizations and mid-sized firms ~ @mvizard #cybersecurityClick To Tweet
Interestingly, small companies (48%) appear to be adopting metrics faster than either larger organizations (37%) and mid-sized firms (27%). Specific metrics being tracked include successful compliance audits, employee security training, formal risk assessments, and violations of security policies.
Whatever the level of progress, the survey also makes it apparent that at least half of all companies are not satisfied with the level of cybersecurity they have in place. The truth, of course, is to one degree or another all companies are vulnerable. The real question is are they secure enough to make it not worth the effort cybercriminals would have to make to compromise those defenses. Cybercriminals are already investing in artificial intelligence (AI) to lower their total cost of launching more attacks. Armed with more sophisticated bot platforms, it also appears cybercriminals are getting better at launching more targeted attacks as well. In the long run, it’s only going to become less expensive for cybercriminals to launch attacks once they have the right platforms in place.
The question this all raises is to what degree are organizations that are satisfied with the current level of security engaged in some form of wishful thinking. IT people are always going to be more sanguine about the state of cybersecurity than their business colleagues mainly because they have more insight into the true state of affairs within their organization. Where things get problematic is when those same IT personnel need to convince business executives that are satisfied with their cybersecurity to increase the cybersecurity budget.'Ultimately, each organization will need to determine what level of risk is acceptable based on the value of the data that might be stolen.' @mvizardClick To Tweet
Ultimately, each organization will need to determine what level of risk is acceptable based on the value of the data that might be stolen. However, in environments where business executives are not taking cybersecurity threats seriously enough, it’s only a matter of time before that inevitable rude awakening finally comes their way.The real question on #cybersecurity is whether companies are secure enough to make them not worth the effort to attack. @mvizardClick To Tweet
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.