Key findings at a glance:
- 37% of participants admitted that their organisation had detected or recorded a security incident during 2020. 25% stated that they hadn’t had a security incident. 22% didn’t know and 16% preferred not to say.
- 42% of respondents believe their senior leadership team have sufficient skill and knowledge to manage cyber risk. 36% don’t think they do and 22% are neutral.
- 61% of BCS members believe their senior leadership team understand what their organisation’s most valuable digital assets are.
- From a cybersecurity perspective, nearly half of respondents (49%) are concerned about the ongoing shift towards third party cloud computing infrastructure, platforms and software as a service. 22% are not concerned and 28% are neutral.
- Nearly four in ten (39%) of those questioned feel that their organisation affords security enough time and consideration when deploying products in an agile way. 34% think that they don’t and 27% are neutral.
The complexity of the cybersecurity landscape makes it a vital area of interest for all - whether in IT or not. In an industry where a breach can happen through well-intentioned mistake; or through highly organised criminal activity; or via a lone teenager hacker; or through a state actor; or from a disgruntled employee - the threat surfaces are huge.
Add in legal compliance issues, the speed of change, user demand, the gap between business leadership and technical understanding and a multitude of other considerations and it is obvious why BCS has such a thriving security community.
So many discussions in tech seem to reduce to terminology. Security is no different - so we asked the question as to whether it is important to make a distinction between ‘information security’, ‘network security’ and ‘cybersecurity’. Fifty nine percent said it is, leaving a significant proportion in the ‘no’ and ‘don’t know’ camps. Other answers had more decisive outcomes.
As is to be expected there was a wide range of issues on the skills gaps - both from the technical perspective and in relation to security understanding in the wider business. The specific question we asked was around what skills are most difficult to recruit for. These ranged from hard security skills - an obvious essential - to softer skills and those surrounding integrating more effectively with the business.
Some of the harder skills listed included: red teaming skills; in-depth penetration testing; edge device protection and security postmortem deep forensics. Related deeper skills, or experience-related items, included finding ‘people who are real engineers and think solutions through properly,’ as described by one responder. Also mentioned were an awareness of governance and how it should fit in with the business; general policy knowledge, and those X factors: a conceptual understanding of risk and a security ‘spider-sense’.
We need ‘HR people who have a scoobie-doo what security is and that it is a profession based on the rule of law,’ wrote one member. And inevitably new staff cause an issue, being, as one commenter wrote: ‘Unable to discern, phishing, scam, peering and social engineering and many other cyber security threats.’
‘16% of respondents preferred not say whether their organisation had suffered a security incident this year. 37% indicated they had.’
That leads to some of the softer skills mentioned, such as empathy and an understanding of user psychology. Of course, a lot of these things need to converge. As one member put it, we need ‘pragmatic cybersecurity understanding in a business environment.’
The inherent tension here was highlighted in this comment: ‘The bigger issue is getting rounded people - it’s easier to find people with either very technical mindsets or very human centric mindsets but harder to find both.’
And, picking up a long-discussed hybrid issue, one commenter wrote that we need, ‘people who can see end to end and can communicate both up and down the business both technically and nontechnically.’
Incidents in 2020
Whilst an understandable 16% of respondents preferred not to say whether their organisation had suffered a security incident this year, 37% indicated they had. Of these, the top three consequences were the 33% that underwent organisational disruption, with 16% suffering website disruption and/or loss of data.
Some of the free text answers highlighted the implications more graphically: for example the incidence of ‘brand abuse’. Others saw potential learning moments: ‘Our controls caught it, so we prevented the threat of financial loss. We used the opportunity to retrain the team on external threats via phishing schemes.’
What of the reaction of the main business? Figure 1 lists the primary responses, although one response in the free text answers demonstrates a useful attitude to finding evidence of a breach: ‘we went back to look for more.’
Figure 1: After a security incident, what did your employer do? Click the image to enlarge it
What keeps you awake at night?
One member felt that there exists ‘an endemic lack of interest in creating a secure environment. Security teams are severely limited in their effectiveness if not supported by other functions, such as change control, inventory management, technical delivery teams.’ Here are a selection of answers to our ‘What keeps you awake at night?’ question:
- people in my organisation that make our work very difficult because they implement security by ‘negating usability’;
- security is too often treated like a compliance issue, where some boxes have to be ticked in order to avoid too much scrutiny;
- end of life software, poor patching;
- transition to the cloud;
- pretty much everything. Paranoia is a virtue in the IT security arena;
- senior managers abrogating responsibility to junior managers who make inappropriate risk decisions to avoid escalating issues;
- blame culture;
- cyber security fatigue - people acknowledge it is important but fail to act accordingly;
- state actors;
- the volume of work;
- lack of awareness at executive level across the organisation. Zero to little understanding of IT in any shape form or guise. No understanding of the impact the loss of IT services would have. No coherent disaster recovery plans in the event of the loss of service(s);
- that someone has breached the systems and is laying low... watching how things are carried out in the organisation;
- and finally, a nicely balanced concluding remark: ‘There is no point panicking. It is important to be doing the right things and have the right support and understanding around you to do an effective job.’
For a number of years now BCS’ IT Leaders survey has shown security and cloud issues have been neck and neck as priorities.
This is well reflected in the spread of numbers to our question: ‘From a cybersecurity perspective how concerned are you about the ongoing shift to third party cloud computing infrastructure, platforms and software as a service?’ 49% marked this with very concerned, or concerning. Only 6% had no concerns at all. Why? See Figure 2.
Figure 2: What concerns you particularly about the cloud? Click the image to enlarge it
Many of these issues will be covered in our security pages over the next few issues. The BCS security specialist groups are filled with experts and run a lot of events to pick up just the sort of threads that are mentioned above. But for this research there was more and the forthcoming report will also cover some other very interesting current issues:
effective AI use in cybersecurity - now and in the future;
- cybercriminals’ deployment of AI;
- AI and redundancies in the cybersecurity profession;
- the potential for AI creating new jobs in cybersecurity;
- the risks of 5G.