There is much concern about the realities of “Cyber Battle Fatigue” – a condition resulting from a never-ending process of defending networks and sensitive information from an onslaught of cyber attacks conducted by cyber criminals, cyber espionage actors, and hacktivists. These attackers continue to use a wide variety of tactics, tools, and procedures that span from being unsophisticated to very sophisticated and continue to have more successes than failures. Two things are certain in a constantly-changing domain – that no business that operates online is immune to being targeted, and two, the cyber security talent pool is sparse, and is contributing to the cyber battle fatigue reality.
The numbers are staggering and continue to outperform previous activity. In 2017, ransomware attacks demonstrated how prolific just one type of attack was. The WannaCry outbreak impacted computers in more than 150 countries that cost approximately USD $ 4 billion. According to one U.S. IT Company, in 2017, some notable cybercrime statistics illustrate the challenges facing those network defenders:
• The United States suffered more than any other country with 1,013 recorded in 016. In second place was the United Kingdom that had just 38 breaches.
• In the third quarter of 2016, 18 million new malware samples were captured.
• Mobile platforms continued to be an increasing popular target for cyber criminals. One security vendor identified 18.4 million malware detections in 2016.
• Once breaching an organization’s perimeter, an attacker resided within a network for an average 146 days before he was detected by the host organization.
These statistics represent a mere sample of the types of adverse activities that network defenders confront on a daily basis. Therefore, it comes as little surprise that a dearth of experienced security professionals only inadvertently benefits hostile cyber actor operations. The more organizations expand their online footprint, the more potential entry points attackers have to target and potentially exploit. Recent reporting of IT-related media outlets confirms the lack of professionals in the cyber security industry. According to a Global Information Security Study, only seven percent of cyber security professionals surveyed were under the age 29, and 13 percent were between the ages of 30 and 34. The average age of cyber professional was 42 years of age.
This situation gives pause for concern as organizations are not shying away from the Internet and networked business operations but are aggressively adopting them. As such, not having the requisite personnel in place to not only ensure the fluidity of online activity but to protect the confidentiality, integrity, and availability of organizational information systems will greatly impact the organization’s ability to be cyber resilient, a necessary posture in today’s dynamic cyber threat landscape. According to ESG research from early 2017, 45 percent of organizations claim to have a problematic shortage of cybersecurity skills. Perhaps even more telling, this research revealed that 70 percent of the cyber security professionals polled believed that the skills shortage already has impacted their organizations.
Many cyber security staffs likely do not even have enough people to fully address the security needs of their organizations. Ideally, a team may have seasoned professionals, mid-level employees, and younger analysts that are guided and mentored by the more experienced individuals. However, this “dream team” may be more fiction than what is currently the reality. Not having enough cyber security professionals potentially impacts organizations in another way. If their current staffs are already overworked, this prohibits them from updating their security skills via professional development. It is hard for these organizations to let these people go away for any extended amount of time when they do not have the people to adequately cover the temporary loss.
So what is left are organizations competing for the seasoned IT security professionals to address the “now” rather than strategically planning for the future and how their security apparatus should look – both in terms of material and personnel resources. From what is known about the cyber domain is that lack of planning to anticipate needs will greatly setback an organization, relegating it to continually try to play catch-up with its cyber security posture. This is not an advantageous development. The end result is an acute case of cyber battle fatigue, in which these individuals find themselves akin to Sisyphus rolling that boulder up the hill, only to see it roll back down again.
This repetitive cycle must come to an end, and it starts with organizations investing in cyber security professionals of all levels with the goal of teaching and developing their skills and growing them over time. Yes, there is the possibility of losing these individuals to other employers, but that is no different than any other employee in any other position. Ultimately, the hiring and developing process is worth the risk and the investment will inevitably pay off. But the first step must be taken.
This is a guest post written by Emilio Iasiello