Information Security Professionals – Today’s Unsung Heroes
Security teams work tirelessly every day to protect us from some very skilled cybercriminals. They face a very accomplished and persistent enemy that is bent on stealing our money, personal information, and intellectual property, and generally disrupting business operations. And they do so with inadequate resources.
Lastline conducted a survey at the 2019 RSA Conference that highlights just what these unsung heroes must deal with, with a certain degree of frustration and futility. But as a group, they soldier on, against stiff odds, driven by some very compelling and admirable goals.
Limited Security Resources
The skills shortage has been well documented, which makes everything security teams face that much more challenging. With a nod to the Stanley Cup playoffs, it’s like being on the penalty kill and a skater short for the entire game. In addition to that, our survey found that for the majority there’s simply not enough money to fund the necessary technology and systems.
A minority of respondents didn’t appear overly worried about the budget. While only 2% already have adequate funding, over a quarter of those surveyed (28%) thought it wouldn’t take much to get additional budget – more specifically they said it would only take “a good pitch to execs” to secure adequate funding. This raises the question of why they haven’t done so and highlights the importance of “soft skills” in technology, such as making a business case for a larger budget. But those are topics for another day.
So, what about the other 70%?
- Nearly a quarter of security professionals (23%) thought that it would take a successful attack against their company in order to get executives to spend enough on security, by which time, of course, it would be too late.
- 18% thought that one more highly visible data breach, such as Target or Equifax, would help.
- Perhaps most surprisingly is that nearly 3 in 10 thought it essentially impossible to get adequate funding: 16% thought it would take a declared cyberwar and 12% said it simply will never happen.
Those Being Protected Aren’t Helping
Trying to protect a company is hard enough with inadequate staff and funding, but the actions of the people they’re trying to protect makes security pros’ jobs even harder.
The first finding here is that companies are migrating to the cloud without adequate security protections in place. Moving to the cloud has compelling business benefits, but at what cost?
When asked how secure their company’s data is in the cloud, only half rated their cloud security at 4 or 5 (ranked from 1=” Not at All” to 5=” totally secure”), the other half clearly feeling that security was inadequate from their professional point of view. That doesn’t provide much confidence. For many companies, the migration to the cloud is mandated from on high as a cost-saving measure or to improve operational flexibility. But it’s unsettling to hear that the team responsible for securing that data does not have higher confidence.
And then there are the employees whose security teams are charged with protecting. Despite all of the training and reminders about phishing attacks, employees continue to click on suspicious links and fall victim to social engineering schemes. Perhaps, and understandably, it’s because most employees have expertise in other areas and are focused on their role and priorities, not on security. One finding from the survey provided some insight into this. Nearly a third (31.5%) of security pros believe that at least half of their employees think the cloud is literally in the sky. This is either funny or very concerning (or both). Only one third are confident that all of their employees understand what the cloud is (or at least that it’s not in the sky), with the remaining 1/3 falling in the range of “some, but less than 50 percent” believe the cloud is in the sky.
What Keeps Them Going?
Given these challenges and frustrations, what attracts people to a career in security? What keeps them going? We were pleased to see what rose to the top of the list when we asked about the most important reason they work in security.
It’s not surprising that nearly 1 in 5 (19%, the third most popular response) said that the money is good. It is, and frankly, we’re a bit surprised that this is not a greater draw. The response that garnered the second most responses is one that drives a lot of people in technology: 28% said it is the stimulation and mental challenge. Certainly fighting a sophisticated enemy every day provides plenty of this.
And there’s a large dose of altruism among security professionals, which is particularly heartening to see. The top reason for entering security, indicated by a third of respondents (33%) is to make the world safe from cybercriminals.
If You’re Not Already in Security Already, Join the Fun
In summary, yes there are challenges and frustrations. But the rewards – good pay, stimulating mental challenge, and a chance to make the world safe – are tough to beat. So, if you’re not already in security, come on in, the water is fine. We all know that there are plenty of openings in need of filling.
And if your expertise and interest lies elsewhere, at least show some appreciation for the unsung heroes in your organization that fight the good fight every day to keep you safe from cyberattacks.