While the threat of cyberattacks on organizations continues to increase, there is a growing worry that skilled professionals that can work with these entities to mount a defense are scarce and would even become more scarce in the future. This has led to the trend where companies are now outsourcing some or all of their cybersecurity services to fill the gaps left by a lack of talent. Additional insights, trends, and the perceptions of business leaders to cybersecurity have been detailed below.
Unfilled Cybersecurity Positions
- By 2021, there would be 3.5 million unfilled cybersecurity positions according to Cybersecurity Ventures. Another report conservatively puts this number at 1.8 million positions by 2022.
- Either ways, it is a serious cause of concern as the world grapples with increasing cyberattacks seeing as a report by ESG and ISSA points out that “a lack of adequate cybersecurity staff (22%)” is the second most common reason why cyber incidents occur just behind “a lack of adequate training of non-technical employees (31%).
- In 2019, the unemployment rate for cybersecurity professionals was zero, the same level it has been since 2011.
- Should the skill gap remain unfilled, then it is very likely that the shortage would serve as a catalyst for increasing the number of breaches.
- The skills gap is also a market opportunity within the larger cybersecurity industry. Currently, “new education tools cropping up outside of the traditional classroom, offering free coursework designed by ethical hackers for the growing cybersecurity talent pool.” These resources could morph into paid options once demand grows.
The Growing Threat of Cryptocurrencies
- Cryptocurrencies such as Monero make anonymity the hallmark of their offering, thus, making them challenging to trace. As such, these cryptocurrencies are therefore attractive to cyber threat actors who are involved in all kinds of nefarious online activities.
- Already, Bitcoin is used in over $76 billion worth of illegal activities.
- Add to this the threat that cryptocurrency exchanges are facing; in 2018, exchanges suffered a loss of $1 billion due to hacks. Coincheck, a Japanese crypto-exchange suffered a loss of $534 million.
- That is not all, there’s also a growing threat of cryptocurrency mining malware known as cryptojacking. These are malware designed to use system resources (CPU or GPU) to mine cryptocurrency without the owner of the device’s permission.
- In a December 2017 report, “Check Point revealed that 55 percent of businesses globally were impacted by cryptominers.” Another report some months later also pointed out that “4,000 websites worldwide, including many government ones, were affected by the cryptojacking script.”
- As cryptocurrency continues to grow and become accepted, the threat cryptocurrencies post to cybersecurity is expected to increase and was one of the fastest-growing segments of cybersecurity attacks in 2018.
No Consensus on Cyber Law
- Despite the launch of the Paris Call for Trust and Security in Cyberspace calling for “the development of common principles for securing cyberspace,” little has been achieved. The call failed to garner enough support because many countries hold “very different views on what constitutes the core of their national cybersecurity.”
- There is currently no consensus and many countries have created “intrusive regulatory and legal frameworks to address cybersecurity concern,” leading to the fragmentation of the internet.
- This plays out in many ways. First and foremost, it leaves corporations with global footprints frustrated as they have to deal with multiple cybersecurity laws. A recent example is the General Data Protection Regulation that came into force in 2018.
- Secondly, it makes it difficult to bring criminals to justice, especially the ones who seek haven in countries where there are no or lax laws concerning cybercrimes. For this reason, extradition becomes difficult “because the extradition treaties of many countries have a ‘double criminality’ requirement, it means that country A will only extradite a suspect to stand trial in country B for breaking its law when there is a similar law criminalizing that offense in the extraditing country. “
The Growing Implication of Fake News to Cybersecurity
- Fake news is a deliberate ploy to lie or twist narratives to win hearts and minds. Fake news is on the rise. A perfect example is a story of how Pepsi purportedly refused service to Trump supporters; this false news caused Pepsi’s sentiment to drop by 35% below the regular average.
- Furthermore, KPMG noted that the world would see more “automated targeting of individuals and specific interest groups through social media, whether that be tailored advertising, trolling or spear phishing.”
- The continued growth and proliferation of AI-based technologies such as deep fakes will continue to make it easier to create manipulated videos and images that could be incriminating for different entities.
- Fake news will affect the cybersecurity industry in many ways. One is that it would lead to the development of tools and infrastructure that can detect and take down fake news.
- Additionally, there are concerns that governments around the world will introduce legislation that would limit their citizen’s freedom of speech under the guise of dealing with fake news.
Rising Cost of Recovering from Ransomware
- The damage done by ransomware is expected to have grown by at least 57 times in 2021, than what it used to cost in 2015. In 2015, ransomware damage cost was valued at $325 million and is expected to reach $20 billion by the end of 2021.
- Cybersecurity Ventures also notes that this time of cybercrime is the fastest growing with an expected victim every 11 seconds by 2021, up from 14 seconds in 2019.
- According to IBM, ransomware grew by 67% year-on-year between 2018 and 2019.
- Another report by Coverware noted that “a typical ransomware remediation costs now stands at $84,116. That’s a little over double the previous figure of $41,198.”
- These costs stem from ransoms paid to cybercriminals, fees to replace hardware, brand damage, lost revenue, as well as repair costs.
- The damage from cyberattacks is expected to reach $6 trillion per year by 2021. This figure stood at $3 trillion in 2015.
- The “global spending on cybersecurity products and services are predicted to exceed $1 trillion (cumulatively) over five years, from 2017 to 2021.”
- According to a study by Ovum, 73% of organizations use over 25 cybersecurity tools, while 9% use 100 or more of such tools.
- “56% employer doesn’t provide the cybersecurity team with the right level of training to keep up with business and IT Risks.”
- State governments spend 1-2% of their IT budget on cybersecurity.
- In 2019, 8.5 billion records were breached by cyberattackers with more than 150,000 vulnerabilities revealed.
- There are additional general statistics in this source.
Trends in the Cybersecurity Industry
Increased spending on Security Services
- For the first time, cybersecurity spending on security services surpassed investments on products and infrastructure in 2018.
- In 2019, it was expected that organizations would budget as much as four times what they budgeted in 2018. This led Forrester to declare 2019 as “The Year Of Services.” It was expected that companies would spend $64.2 billion on security services in 2019.
- Gartner also predicts that by the end of 2020, companies will be spending 50% of the cybersecurity budgets on services.
- Overall, the services segment of cybersecurity is expected to grow at a cumulative annual growth rate (CAGR) of 11.2% in five years.
- The principal factors driving this trend include the absence of security talents as well as privacy legislation (here and here).
- According to this article, “investment in services can cool the burn of a persistent talent shortage, and CISOs can fully outsource capabilities to managed security service providers (MSSPs) or contract with experts to train internal staff.”
- Over 22% of security decision-makers decry the lack or shortage of human resources in their fight against cybercrimes.
- Gartner forecasts that “privacy regulations will drive at least 10 percent of service investment growth this year as companies turn to third-party experts for help with areas such as identity and access management (IAM), identity governance and administration (IGA), and data loss prevention (DLP).”
- Another factor driving the growth of security services is that outsourcing these tasks makes it easier and cost-effective to keep up with advancements in cybersecurity technology.
- Mid-sized organizations tend to spend more on security services.
Growing attacks on Supply Chains
- Industry 4.0 and other digital innovations are transforming the “traditional linear supply chain structure by introducing intelligent, connected platforms and devices across the ecosystem, resulting in a digital supply network (DSN) capable of capturing data from points across the value chain to inform each other.”
- While this transformation helps the flow of materials and goods, they have created three critical digital assets that are attractive to cybercriminals. These assets include information technology (IT), intellectual property (IP), and operational technology (OT).
- Deloitte notes that the two main areas of risks when it comes to digital supply chains are “increased access to data for more stakeholders due to imperative data sharing and vendor acceptance and payment in a broader market.”
- According to KPMG, 80% of cyber breaches are through the organization’s supply chain.
- KPMG also notes that “well-managed IT estate can provide a challenge to many attackers, but that means a change in tactics towards growing attacks on the supply chain,” including targeting supply chain partners.
- As a result, companies are demanding that their supply partners “improve security through increasingly demanding contract terms and inspection visits.”
- Also, as more companies use remote workers, there would be increased threats to the company’s supply chain.
Business Leader’s Perception of Cybersecurity
Most Challenging Aspects of Cybersecurity
- According to a survey by Deloitte of 500 c-suite executives “who have visibility to and responsibility for cybersecurity in companies with at least $500 million in annual revenue,” the following are the most challenging aspects of cybersecurity management across enterprise infrastructure:
- Amongst different stakeholders, this view varies. For chief information security officer (CISO), the values are:
- For chief technology officers, the values are:
- For chief information officers, the biggest challenges are:
- When looking at the activities/features/parts of cybersecurity that are particularly challenging, data complexities (16%) tops the list, followed by better prioritizing of cyber risks in the organization (15%). Other notable challenges include keeping up with IT changes (15%), lack of skilled cyber professionals (14%), lack of management alignment on priorities (14%), lack of adequate funding (13%), and inadequate governance in the organization (12%).
How Organizations Allocate Budget and Time to Cybersecurity
- The activities that the surveyed respondents of the same survey referenced above devote significant time towards are: cyber governance, resilience, and cyber monitoring and operations.
- The activities and the percentage of time spent on each are:
- Identity and access management: 8%
- Cyber monitoring and operations: 13%
- Cybersecurity governance: 12%
- Cyber resilience: 12%
- Application and data protection: 8%
- Endpoint and network security: 8%
- Third-party/supply chain security management: 8%
- Regulatory and compliance matters: 7%
- Enterprise cyber reporting: 7%
- Enterprise stakeholder awareness and communications: 7%
- Strategy and program transformation: 8%
- The time allocation above shows that these stakeholders are “heavily focusing on two of the five core functions of the National Institute of Standards and Technology (NIST) framework—detect, and respond and recovery — while cyber governance absorbs the third top spot.”
- The findings of the survey also show that the cybersecurity budget is also allocated similarly to how the time is allocated. The budget is split as shown below:
- According to Deloitte, the respondents of this survey “believe there are notable gaps in organizational capabilities to meet today’s cybersecurity demands.” The most notable gaps or challenges expressed in this regard include “their ability to help the organization better prioritize cyber risk across the enterprise (15 percent), followed closely behind by lack of management alignment on priorities (14 percent) and finally, by adequate funding (13 percent).”
Cyber Incident Response and Reporting
- To prepare for incidence responses, c-suite executives at organizations typically annually review and update response and business continuity procedures (48%), participate in a cyberwargame exercise (32%), and run tabletop exercises (32%).
- Additionally, “32% of cyber leaders surveyed say they plan to leverage their incident response (IR) processes to handle data destruction attacks that use advanced tactics, indicating that most companies still rely on standard disaster recovery or specific data backup protocols for data destruction events.”
- According to McKinsey, research indicates that board members are unhappy with the cybersecurity reports they receive. This is because IT and security executives “use manually compiled spreadsheets to report cyber risk data to their boards.”
- Another survey also reports that 54% of executives claim that cybersecurity reports are too technical. Such reports are typically filled with poor writing and grammar as well as technical jargon. As such, board members cannot get a true sense of the risk status of the organization.
- Executives also cite the fact that they often receive separate and conflicting cybersecurity reports from different departments. McKinsey puts this down to the lack of consistent real-time data. Additionally, the underlying data used in these reports are typically dated “to be of use in managing quickly evolving cyberthreats.”