Feature
Man sat in front of many computer screens

Cyber teams are stressed and underfunded - cyber resilience starts with them

Chris Dimitriadis, chief global strategy officer at ISCACA argues that cyber attacks are becoming more frequent and stopping them starts with investing in staff.

You don’t need a crystal ball to know that cyberattacks will only become more high profile and more frequent over the coming years. We’ve seen it in real time this year as major hacks and outages have disrupted public services, critical infrastructure, and business alike.

Where cyberattacks are concerned, it’s becoming a matter of when they will happen – not if they will happen. At ISACA, our latest State of Cybersecurity report revealed that 70 per cent of respondents – cybersecurity professionals – said they are experiencing more or the same level of cybersecurity 
attacks compared to a year ago. 58 per cent agree that it is likely that their organisation will experience a cyberattack in the next year, which has increased from 52 per cent in 2023.     

That the situation is worsening points to the fact that there needs to be more investment in the right staff and skills to better prepare and respond to such attacks when they happen.

But cybersecurity teams are stressed and underfunded

Despite this growing problem, the lack of funding and investment in cyber teams is only exacerbating the issue. In our research, 90 per cent of respondents reported that they feel their organisation’s cybersecurity budget is currently somewhat or significantly underfunded – and a further 61 per cent feel their organisation’s cybersecurity team is understaffed.     

As a result, cyber professionals are not sufficiently prepared to carry out their crucial work, working in thin teams without the necessary budget, especially as the threat landscape becomes harder to navigate. And they’re feeling the strain – in the same survey, 68 per cent of cyber professionals reported that they feel their role is more stressful now compared to five years ago, with 79 per cent of them putting this down to the increasingly complex threat landscape.     

The lack of support, training, and investment is therefore limiting the cyber resilience of those organisations whose teams cannot work to their full potential. Many of these businesses neglect cyber teams when it comes to decision making; 47 per cent of professionals working in cyber said they were not involved in the development, onboarding, or implementation of AI solutions, and 42 per cent were not involved in the development of a policy governing the use of AI within their organisations.     

This is a critical oversight given the cyber risk implications of new and emerging technologies like AI, and suggests that businesses are failing to prioritise cyber resilience when making these decisions.

In essence, cyber teams which are understaffed and underfunded work in a more reactive than proactive way, firefighting as threats emerge rather than preventing them in the first place. This leaves professionals stressed, worried, and overworked, and the organisation itself more vulnerable to attack.

Skills and training are a key way to support teams and drive resilience

The cybersecurity industry has a persistent skills gap – the shortage of cybersecurity professionals in Europe ranges between 260,000 and 500,000. Indeed, our State of Cybersecurity report found that 45 per cent of respondents reported another reason they feel that their role is more stressful now than five years ago is because they are not sufficiently trained or skilled.     

At a time when bad actors are only getting more sophisticated, we can’t afford to put both businesses and people at risk – a single attack on one company can have adverse effects on its entire supply chain and network. Every organisation needs trained and skilled professionals in the right roles who understand the ever-evolving nature of the threat of cyberattacks. Cyber roles are constantly evolving as new technology emerges – take, for example, the rise of AI and the web of cyber risks which have surfaced as a result. Professionals working in the industry need consistent upskilling or they risk being several steps behind bad actors.     

Training and diverse hiring practices are the key to combating the skills gap and making organisations more resilient. Given the massive shortage of people in the industry, the ‘conventional route’, such as a degree in cybersecurity or years of experience, does not need to be the only way for talent to enter the industry. Businesses should encourage people who don’t necessarily have a background in security to take the leap into cyber and then train them on the job in order to widen the talent pool.     

The best route into the cybersecurity sector varies based on every individual. But there are several ways to earn certifications and skills. In fact, 51 per cent of cyber professionals feel that soft skills are the biggest skills gap in the industry. Of the soft skills in question, 54 per cent state that communication skills (such as speaking and listening skills) are the most important, followed by problem-solving (53 per cent) and critical thinking skills (48 per cent).     

If businesses rethink their hiring strategies and prioritise candidates who demonstrate the necessary strong soft skills, enthusiasm, and a genuine interest in the sector, they can train those people as they go and support them in earning the right qualifications. Organisations therefore become more resilient to external threats and have a healthy workforce of cyber professionals who feel supported in their career development.

Cyber resilience is part of an organisation’s duty of care

Cyber resilience is so important, not only because a cyber resilient organisation can better protect itself, but because a cyber resilient organisation also protects its customers, suppliers, and everyone across its network. Supply chain resilience is a combination of a business’ level of vulnerability and its level of dependency on others in its network.     

Businesses should not invest in cybersecurity as a box-ticking exercise, but as part of their duty of care to end-users, customers, and stakeholders. In order to build resilience, businesses must understand their key dependencies and where along the supply chain potential issues lie and what to do in response if things go wrong.     

In the cybersecurity industry, collaboration is key to creating secure environments and frameworks. Whatever the size of the organisation, conversations around risk need to happen with others in the network and make sure everybody is comfortable with how processes are being organised and run across the chain. Companies must talk to each other about the threats they are facing and protect each other against the big-ticket issues which can go wrong.

Cyber resilience is a team effort

All in all, dealing with the growing threat of cyber attacks will require a multi-pronged approach from each and every organisation. Driving cyber resilience starts at the very beginning of the process with the hiring practices, training opportunities, and career development of cyber professionals to plug the skills gap and help teams feel supported and skilled.     

This effort should continue through to involving these professionals in both the day-to-day decision making and the big-ticket strategies like the implementation of AI solutions to ensure security is built into any new processes. Then, businesses should think about their cyber resilience holistically and collaborate with other organisations about the threats they face and how they can be overcome.     

By building a truly cyber resilient society, cyberattacks will still happen, but they will not be as damaging and catastrophic as those we have seen in the last few years. Rather than completely halting public infrastructure or crippling businesses and their consumer trust, organisations will be able to limit the harm of the attack and carry out a response plan which is thorough, informed, and effective.

Partners

View the latest
digital issue