This feature first appeared in the Fall 2017 issue of Certification Magazine. Click here to get your own print or digital copy.
When then-presidential candidate Donald J. Trump said during his first debate with Hillary Clinton in September 2016, "The security aspect of cyber is very, very tough. And maybe it's hardly doable," he touched on a basic anxiety that many people have about information security. The fear that nothing is really safe, and that we ultimately can't stop hackers from doing as they please, is perhaps not yet pervasive in world society.
Every time that a previously unknown major breach is uncovered, however, there's probably a bit more of a shift toward the pessimism and despair of thinking that data protection is "hardly doable." It's an understandable impulse. Just in the last three years, the world has weathered a stunning barrage of successful attacks against supposedly untouchable targets.
In June 2015, the United States government's Office of Personnel Management disclosed the theft of files connected to as many as 18 million individuals. In September and December 2016, Yahoo reported separate breaches affecting as many as 1.5 billion individuals. And just about a month ago as you read these words, credit reporting agency Equifax announced the theft of personally identifying information connected to more than 180 million U.S. and U.K. citizens.
As much as we may be inclined to rail against outdated or inadequate software, however, the breakdowns that enable these incidents are almost always attributable, whether directly or indirectly, to human error. Whether because individuals failed to heed clear warnings and take specific actions, or because too few specialists were given dangerously inadequate support when tasked with defending porous digital perimeters, cybersecurity failure is almost always a people problem.
The good news is that there's a people solution. True and effective cybersecurity is only as unattainable as we're willing to let it become. We need the average individual to have a better working knowledge of cybersecurity best practices, as well as a commitment to following them at all times. And we need quite a few more skilled professionals to take up cybersecurity as a career choice.
Our most recent new survey generated some interesting data along those lines, but first we should probably say a few words about the survey itself.
Our new survey format
When we relaunched Certification Magazine in 2014, we committed to making information gathered from surveys of certified professionals a part of every issue. Survey data that reflects the opinions and experience of front-line IT professionals has been a vital element of every issue of the magazine since that time and that strong presence will continue in the future.
Beginning with this issue, however, we've made a strategic decision to stop collecting and reporting salary data, except for once a year when we publish the results of our annual Salary Survey. Surveys rely on the cooperation and participation of many different groups and individuals. Over time we've seen both confusion and fatigue erode the effectiveness of asking for IT salary data four times every year.
So in an attempt to make all of our surveys both more fruitful and less demanding, we've begun the process of making them less redundant. The smaller surveys that feed into our April, July, and October quarterly issues will continue to focus on a particular area of IT — in July it was Big Data, in this issue it's cybersecurity.
Moving forward, however, we'll be shifting questions about IT salary exclusively to our annual Salary Survey (which is open right now at CertMag. com — that's a hint) and using the other surveys to focus both on other aspects of certification, and on issues specific to the IT subgenre featured in each magazine. And that gets us back to where we left off a few moments ago.
The cybersecurity people problem
We asked the nearly 300 certified information security professionals who responded to our Security Certification Survey to rate their level of agreement with a series of statements about cybersecurity operations at businesses and other private organizations. Among other issues, there's definite concern about the weakest link in any security chain: people.
An imposing 80 percent of those surveyed either agree (43.2 percent) or strongly agree (38.8 percent) that enterprise security staffs are too small. The neutral "neither agree nor disagree" position was staked out by 14.8 percent of respondents, while the remaining 3.2 percent are all in the "disagree" column. Not a single individual "strongly" disagreed that security staffs are too small.
It's not just that there aren't enough people, either. There's also the problem of individual preparedness. More than 81 percent of respondents either agree (49 percent) or strongly agree (32.3 percent) that security training of non-IT personnel on enterprise staffs is not adequate.
It isn't just those not directly involved in IT, however, who lack adequate cybersecurity knowledge. Most survey respondents either agree (51 percent) or strongly agree (26.5 percent) that security training of IT personnel on enterprise staffs — those who perform specific IT functions — is not adequate. The burden on security staffs, in other words, is increased by lack of knowledge among coworkers.
The cybersecurity technology problem
In addition to lack of staff and lack of training, however, most of the certified information security professionals who responded to the survey believe that organizations are working with inadequate software, hardware, and policy protections. A troubling 65 percent of those surveyed either agree (50.3 percent) or strongly agree (14.2 percent) that enterprise security controls are inadequate.
That's compared to just 10 percent who either disagree (9 percent) or strongly disagree (1.3 percent) that controls are lacking. (A further 25 percent of those surveyed signaled a perhaps lesser degree of satisfaction with the status quo by choosing to neither agree nor disagree.)
Old security technology is also a problem. Nearly 60 percent of survey respondents either agree (48.4 percent) or strongly agree (10.3 percent) that enterprise security controls are outdated. Some organizations, apparently, are keeping pace, as indicated by the 9 percent of respondents who either disagree (8.4 percent) or strongly disagree (0.6 percent) that controls are outdated, with a further 32 percent taking no position.
And though it would seem that most organizations are spending money on information security, there's not much confidence that spending is either well considered, or sufficient to address problems. Slightly more than half of survey respondents either agree (32.9 percent) or strongly agree (18.7 percent) that money for enterprise security measures is spent unwisely, while just 10 percent either disagree (9.7 percent) or strongly disagree (0.6 percent). (Thirty-eight percent took a neutral position.)
A considerably more alarming 74 percent of respondents either agree (47.1 percent) or strongly agree (27.1 percent) that there is not enough spending on enterprise security measures. Just 8 percent either disagree (6.5 percent) or strongly disagree (1.3 percent) that not enough money is being spent, while 18 percent neither agree nor disagree.
Spending on certification
There is one area, potentially, where lack of staffing, lack of training, lack of currency, and lack of spending can all be addressed. Information security certification can increase the number of available security staff by upskilling existing staff. It can increase training among both IT and non-IT personnel. And certification provides both up-to-the-second learning and a regular program for refreshing that knowledge.
Some organizations are already investing in information security certification. Among certified security professionals who responded to our survey, 35 percent paid the entire cost of their most recent security certification themselves. A promising 41 percent of respondents, however, report that their employer paid the total cost of their most recent security certification, while a further 17 percent shared the cost with their employer.
There's a great deal more information to come from our survey. Over the coming months, we'll be posting additional findings online.
TABLE TALK : How satisfied are certified information security professionals with their training and certification experience?