Study: Firms not ready to respond to complex threats

Only 46 percent of organizations have confidence that their security teams can respond to complex threats

Current Job Listings

Only 46 percent of organizations have confidence that their security teams can respond to complex threats, according to a new study by ISACA.

Another 41 percent said they're only confident in their ability to respond to simple issues, and 13 percent said that they're not confident at all.

One reason? Significant hiring shortages in the information security space.

Only 16 percent of respondents said that at least half of their applicants were qualified, while 53 percent said it can take three to six months to find a qualified candidate. And 35 percent of companies said that they have job openings that they cannot fill.

"You're getting these resumes, but you have to reject most of them," said Eddie Schwartz, president and COO at White Ops, who is also chair of ISACA's Cybersecurity Task Force. "That's a very difficult position to be in if you're an employer."

The biggest skill gap? Ability to understand the business, according to 72 percent of the respondents.

"The cyber workforce has not kept up from the skills and training perspective," said Schwartz.

Technical skills were mentioned by 46 percent of respondents, followed by community skills by 42 percent.

This isn't a problem that can be solved overnight, he said. Outsourcing and automation can help, as can attracting more women to the profession, and working with college programs to help them offer more cybersecurity courses.

"We have to have people taking the correct education at the university level -- and there aren't enough today anywhere in the world," he said. "It will take years to solve the human resource gap."

[ Young adults clueless on cybersecurity profession ]

Other bad news in the study was that 77 percent said they saw more cyberattacks in 2014 than the previous year, and 83 percent said that it was likely to very likely that they will experience a cyberattack in 2015.

There was some good news as well, however, and that was in the fact that companies are beginning to take security more seriously.

"Even when IT departments are seeing cuts in their budgets, information security budgets are not being cut," said Schwartz.

Security budgets are increasing this year at 56 percent of companies, 83 percent test their security controls at least annually, and 79 percent said that their board of directors were concerned with cybersecurity.

"My personal experience is that historically, it was very very difficult for a VP-level or C-level Chief Information Security Officer to get board level attention to issues such as security training or awareness," said Schwartz. "But with the emergence of some of these advanced actors, some of these sophisticated cybercriminal groups, some hacktivist groups, boards of directors are now paining attention."

Executives demonstrate this support in a number of ways, respondents said. For example, 71 percent enforce security policies, 63 percent provide security with adequate funding, and 56 percent mandate security awareness training.

However, security reports directly to the board of directors in only 11 percent of companies and to the CEO in 20 percent, while 60 percent of the time, security reports to the CIO.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.