Discrepancies still exist in solving cyber security
Cyber security is now front and centre on organisations' boardroom agendas, but most chief information security officers (CISOs) have yet to earn a seat at the table.
This is according to a recent survey conducted jointly by the Information Systems Audit and Control Association (ISACA) and RSA Conference, for which 461 cyber security managers and practitioners were interviewed.
The report says while organisations are placing greater emphasis on keeping their digital assets safe, security managers are still being left out of top executive leadership teams.
Only one in seven chief information security officers reported directly to the CEO - the rest generally report to the CIO.
Jennifer Lawinski, editor-in-chief, at RSA Conference, says while there are signs that C-level executives increasingly understand the importance of cyber security, there are still opportunities for improvement.
The majority of CISOs still report to CIOs, which shows cyber security is viewed as a technical rather than business issue, she adds.
She points out the survey highlights the discrepancy to provide an opportunity for growth for the information security community in the future.
The report also found that 74% of security professionals are expecting a cyber attack on their organisation in 2016, while 30% currently experience phishing attacks every day.
However, the cyber security skills gap poses its own threat to keeping an enterprise safe, it says.
The past year saw a 12-point drop in the percentage of security professionals who are confident in their team's ability to detect and respond to incidents, dipping from 87% in 2014 to 75% in 2015, it adds.
Among those 75%, six in 10 do not believe their staff can handle anything beyond simple cyber security incidents, it notes.
In addition, the number who say that fewer than half of job candidates were considered "qualified upon hire" has risen from 50% to 59% in a year. Twenty-seven percent need six months to fill a cyber security position, up three points from 2014.
"The lack of confidence in current cyber security skill levels shows conventional approaches to training are lacking," said Ron Hale, chief knowledge officer at ISACA.
"Hands-on, skills-based training is critical to closing the cyber security skills gap and effectively developing a strong cyber workforce."
Hale, says cyber attacks are still pervasive and companies are still experiencing many of the same attack types that have plagued them for years.
However, it is increasingly difficult to hire fully capable cyber practitioners and others who are part of the enterprise assurance and risk management network, he adds.
"The good news is that executives and board members are very concerned. They recognise cyber threats are harming the bottom line."
The challenge however, is less than half of executives follow good security practices themselves (43%) or mandate cyber awareness (59%), says Hale.
Cyber is not only a technical problem - many attacks target the weakest link - executives who do not follow good practices, and employees who are security unaware, he adds.