Five or six years ago, I attended a small security conference where all of the other attendees were CSOs or CISOs for large corporations. As we chatted during the reception, I asked them how they ended up in cybersecurity. To a man (and they were all men), the answer was, “I worked in IT and the bosses needed someone to take care of a security problem. They thought since I knew about computers, I could fix computer security.”
A new survey by Spiceworks shows that attitude might not have changed too much, even as cybersecurity moves to the top of any list of IT concerns. The survey found that nearly 70 percent of IT pros do not have any security certifications nor are their employers willing to invest in the training or certifications needed. Yet, it is likely that these same IT pros are the ones expected to handle the security in their company because more than half the organizations surveyed don’t have or intend to bring on board a cybersecurity expert. Somebody has to handle security, right?
Yet, without having security training and certifications, it seems like many IT pros believe they have a handle on security, with 58 percent saying they are confident in their ability to respond to cyberattacks on tablets, 52 percent saying they can handle attacks on smartphones, and 44 percent saying they can deal with cloud security incidents. The survey writers phrased those numbers as “only” this number feel qualified to respond, but I think those percentages are pretty high for folks without real security training. I wish the survey would have revealed how IT folks without a security background approach security incidents to see how much of a skills gap really exists. In other words, how much training is really necessary, or is it hit and miss?
Considering the connection between IT and security, it isn’t a surprise, then, that of the C-suite level executives, it is the CIO who sees cybersecurity as a priority (73 percent compared to half or less than half of other C-suite execs).
Perhaps that explains why so few companies are trickling down security education to the rest of the employees. If it isn’t a higher priority for those running the company, why would they invest in it for lower-level staff? Citing an AlienVault study, Computing wrote:
Despite such concerns only 45 per cent provide cyber security training to all their employees including the executive board, while 20 per cent do not conduct any training and instead tackle the fallout of such cyber attacks when they occur.
As the Spiceworks reported stated:
… hopefully organizations will start placing more importance in and allocating more funds for cybersecurity training.
I hope so, too. But unfortunately, I don’t see it happening any time soon, not as long as they can turn to IT professionals to take on the task.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba