A majority of senior cybersecurity professionals at the UK’s largest organizations struggle with feelings of helplessness and professional despair, new research by Green Raven Limited indicates. These negative emotions result from practitioners’ anticipation of eventual, inevitable failure to protect their organization. Most practitioners say these same feelings spill over into and impact their personal lives.
With the standard, increasingly expensive, throw-money-at-it-and-hope-something-sticks approach to cybersecurity failing to stem global losses, practitioners yearn instead for a more precise understanding of threats so they can target budget and defenses where they are needed. To meet this need and help tilt the odds back in their favor, practitioners have high hopes for new, AI-based tools.
Cybersecurity losses leading to despair
Commissioned by specialist cybersecurity consultancy and reseller Green Raven Limited and conducted by research specialist Censuswide, the research comprised a quantitative survey of 200 cybersecurity professionals with responsibility for cybersecurity, cybersecurity teams and associated budgets in organizations of more than 1,000 employees. The results showed that:
- 70% admit to feelings of professional despair/helplessness at the inexorable rise in cyber losses. Despite being responsible for rapidly increasing cybersecurity budgets, an unhealthy majority of 59% agree that it’s “a matter of when, not if” their organization suffers loss due to a cybersecurity breach. Almost three-quarters say they would consider a major breach as a personal failure.
- 59% of respondents admit feelings of professional despair/helplessness have a negative impact on their personal lives and/or mental health.
- Almost 70% are under pressure from senior management/boards to better justify their next annual cybersecurity budget against the actual risks and threats faced by their organization. 66% of this cohort, and over half of all respondents, say they struggle to do so.
- Fewer than half of respondents believe their organization is investing sufficiently in cybersecurity, despite nearly 90% of respondents reporting that their cybersecurity budgets are increasing. 5% describe budgets as increasing rapidly.
- 79% of respondents recognize that the ‘gold standard’ process for risk and compliance management comprises the four steps of identification, assessment, treatment and monitoring; three-quarters of respondents say their organization executes all four steps. Of the handful that disagreed, over half said their organizations rely instead on abbreviated methodologies based on scrutinizing risks and emphasizing defensive measures.
- Two-thirds of respondents say that not knowing where the next cyberattack will come from feels like permanently working with a blindfold on.
- Almost four in every five respondents expect that new, AI-enhanced tools will finally give them an advantage over threat actors in the form of better cyber threat intelligence that tells them from where an attack will likely come and/or where it will land.
Interpreting the research
Based on the research, Morten Mjels, CEO of Green Raven Limited, commented: “The research appears to highlight some contradictory thinking by respondents: Despite the impact on their lives, ever-rising cybersecurity budgets and the belief that a breach will occur in the end anyway, respondents are still happy to say that current cybersecurity strategies are ‘sustainable’ — when their own observations clearly indicate otherwise.
“Then there’s also the pressure: Practitioners believe the defenses in which they are responsible for investing increasingly large amounts of money will ultimately fail to protect their organization, and expect to feel or to be held responsible when the big breach comes. It’s the cybersecurity version of the old maxim that ‘all political careers end in failure.’ Many cybersecurity practitioners appear resigned to the idea that their career could hit the buffers in a similar fashion. Having that expectation dangling over your head daily can’t be healthy, and it’s unsurprising that it emotionally impacts dedicated, hard-working practitioners,” he observed.
“Third, it’s uncomfortable to learn that a full quarter of respondents at these big organizations recognize that they aren’t rigorously applying the gold standard, four-step process [of identification, assessment, treatment and monitoring] to risk and compliance management. This chimes with what we observe ‘in the field,’ where we frequently encounter approaches, processes and solutions which resemble a two-and-a-half step process and ultimately emphasize defensive measures — the approach that currently isn’t working.
“It begs the entwined questions of whether or not a significant number of practitioners might misunderstand the gold standard process, and whether existing solutions and practices have contributed to a watering down of that process that practitioners haven’t noticed happening,” he said.
“Finally, it’s clear that practitioners are pinning a great deal of expectation on new or emerging AI-based solutions to tilt the field back in their favor. Since they know that bad actors will also have access to new and emerging AI-based tools, it may be that they expect some sort of cancelling-out effect to occur, resulting in the cybersecurity equivalent of a nil-nil or low-scoring draw — which the research suggests they’d bite your hand off for,” he concluded.