Low Confidence in Cybersecurity Culture: Survey Reveals Room for Improvement
In a recent survey, fewer than one in three cybersecurity professionals believe their organization possesses a cybersecurity culture that surpasses the average standards. This alarming statistic highlights significant challenges and opportunities for enhancement within organizational security frameworks.
The survey, titled "The Life and Times of Cybersecurity Professionals," is now in its eighth year and was conducted by the Information Systems Security Association (ISSA) alongside Omdia, a division of Informa TechTarget. It surveyed 380 IT and security professionals on various aspects of their work, including job satisfaction and the overall effectiveness of their security teams.
When respondents were asked to evaluate their organization’s cybersecurity culture, only 29% rated it as "advanced." In stark contrast, a majority—50%—considered it "average," while 19% described it as "fair." This distribution underscores a wide spectrum of experiences among professionals within the field, suggesting a collective recognition of the need for improvement in organizational security practices.
To address this, the survey revealed several suggestions from cybersecurity professionals aimed at enhancing security protocols. A significant portion of respondents—42%—called for increased training for cybersecurity and IT staff. Following closely in importance, 37% highlighted the need for more investment in both personnel and technological resources. Other recommendations included enhancing governance and compliance practices (36%), improving cyber hygiene (35%), fostering a stronger security culture across the organization (34%), providing more security awareness training for non-technical employees (33%), boosting capabilities for threat prevention, detection, and response (31%), and conducting frequent tests to validate security controls and expose vulnerabilities (30%).
The desire for improved collaboration between security and IT teams was echoed by 44% of the respondents, who advocated for the integration of cybersecurity staff within functional technology groups. Furthermore, 41% called for automated processes that fostered cooperation between security personnel and their IT counterparts. While the ambition for increased cooperation is clear, achieving such collaboration remains a challenge that necessitates effective leadership and the development of soft skills.
Melinda Marks, the cybersecurity practice director at Omdia, emphasized the critical role of leadership in achieving meaningful collaboration within organizations. She asserted that cybersecurity professionals must demand a "seat at the table" during critical technology discussions. This involves contributing to conversations about security features and assessing the safety of potential technological adoptions. Marks highlighted that this form of collaboration often hinges on soft skills such as effective communication and teamwork, which are distinct from the purely technical abilities typically associated with cybersecurity roles.
Organizations boasting a robust cybersecurity culture often feature security leaders and teams who actively seek solutions rather than adopting a "Team of No" mentality, which tends to reject new ideas outright due to safety concerns, according to Marks. Successful companies strike a balance between risk assessment and innovation, demonstrating that organizations committed to growth must invest in cybersecurity professionals who are well-versed in emerging technologies and capable of aligning their objectives with broader organizational goals.
Moreover, Marks pointed out the vital need to address ongoing pressures faced by security teams, as reflected in the survey’s job satisfaction metrics. An alarming 20% of respondents admitted to contemplating leaving the cybersecurity profession regularly, indicating a pressing need for employers to focus on both technological investments and the well-being of their personnel.
As for the issue of burnout, Shawn Murray, a distinguished fellow and past president of ISSA, remarked that solutions must come from the highest levels of an organization. He stressed that if leadership does not prioritize security, it compounds the struggles faced by cybersecurity professionals, particularly Chief Information Security Officers (CISOs) trying to negotiate budgets and recruit staff.
Despite these challenges, Murray observed a positive trend: CISOs are increasingly finding their voices heard at the executive and board levels. He noted that it is now easier for CISOs to engage with boards, and a rising number of them report directly to CEOs rather than other technical officers like the Chief Technology Officer (CTO) or Chief Information Officer (CIO).
In conclusion, the survey results present a mixed picture of the cybersecurity landscape. While the statistics show that many professionals feel their organizations are lagging behind in creating a robust security culture, they also indicate a clear pathway for improvement through training, investment in tools and personnel, and a focus on collaboration. As cybersecurity continues to evolve, the emphasis on leadership, soft skills, and mental well-being in the workforce will be vital for fostering a secure and innovative organizational environment.