The most common challenge for CISOs is resource constraints: not enough staff, budget or technology to support the security program needed or meet compliance requirements, according to DirectDefense.
Cybersecurity industry faces ongoing talent shortage
The World Economic Forum claims there’s a global shortage of nearly 4 million professionals in the cybersecurity industry – and that shortage is after a 12.6% growth in the cybersecurity workforce between 2022 and 2023. The government and healthcare sectors are among those experiencing the greatest cybersecurity workforce shortages, which presents unique challenges because these industries are so highly regulated.
“This same narrative has been repeating for years; businesses are moving to the cloud and facing tighter compliance regulations – all while budgets remain tight and security threats grow more serious,” said Jim Broome CTO at DirectDefense. “It all requires more staff with advanced skill sets and an ability to learn and adapt to constant changes – which can lead to burnout.”
CISOs and other security professionals are ripe for burnout. Surveys show that 99% of CISOs work extra hours every week, and 1 in 5 work an extra 25 hours per week. The demands of the cybersecurity work environment have been found to affect the productivity of 64% of cybersecurity professionals, which can lead to increased breaches. Broome believes that the cybersecurity skills gap is one of the biggest challenges when designing for cyber-resilience.
The report also points to the lack of security customization. Different industries face unique cybersecurity challenges and what worries one sector may not even concern another. The combination of specific threat actors, technological infrastructure, types of data, and access methods creates a complex web of security risks.
Broome says, “If you’re unsure what you need to strengthen your security program, asking the question, ‘What’s not working?’ can often get you to an answer faster. Are you concerned about ransomware? Are you having problems with employees getting phished? Use this as your starting point.”
CISOs struggle to keep pace with rising cybercrime
Finally, CISOs report an inability to keep up with cybercrime growth. Ransomware, extortion, AI, and deepfakes are becoming more sophisticated. Increasingly ransomware is being coupled with extortion and while AI has huge potential for good, it has just as much potential for evil.
On one hand, organizations are feeling more confident in adopting generative AI, which will give them an advantage over attackers. Yet, it’s become harder than ever for organizations to protect against social engineering attacks when AI-generated phishing scams can be incredibly convincing.
The concern about ransomware from five or 10 years ago was the complete disruption of the entire network. However, industry-wide security mandates for more resilient backup solutions – which have also become more affordable – has enabled organizations to recover from an attack and get back to business faster. A speedy recovery is no fun for attackers as it reduces their payout potential. So, time for a new approach.
Today, attackers are getting their big payday from extortion. They’ll break in, steal your data, and lock up your important files by detonating ransomware on servers or on-prem cloud systems – just to let you know they were there. They’re intentionally going after data they know an organization has to disclose was stolen, and threatening to release it unless the ransom is paid – a tactic better known as extortion. Because of disclosure mandates, this attack method has especially impacted the healthcare industry, which previously wasn’t as much of a target.
“We all like to think that we are smart enough to spot a scam, but it is clear that scammers, with the help of AI, are putting time, money and effort into making sure you can’t,” said Broome. “Security awareness training, strong authentication and zero trust programs are preventative methods to protect your organization.”