The dynamic world of cybersecurity continued its rapid pace of change in 2015, creating new challenges and opportunities for ISACA and our 140,000 global constituents. Of course, 2016 will be no different. ISACA professionals across the globe expect to see an evolving mix of cyberthreats, regulatory issues, and an ongoing shortage of qualified cybersecurity workers needed to address these issues, according to the January 2016 Cybersecurity Snapshot survey.
Nearly 3,000 IT professionals from 121 countries voiced their opinions in the Cybersecurity Snapshot, and the results say much about where cybersecurity is headed in 2016. Respondents said their top cyberthreat concerns for 2016 were social engineering, insider threats and advanced persistent threats (APTs). Fully 84 percent believe there is a medium to high likelihood of a cybersecurity attack disrupting critical infrastructure (e.g., electrical grid, water supply systems) this year. Nearly a third said there will be some increased risk of insider threats (privileged users) vs. last year.
Security Best Practices
ISACA’s well-trained, knowledgeable professionals do not lack for recommendations on how to best tackle these cyberthreats. Adding two-factor authentication was considered the best response for improving security in the virtualized data center, followed by adding dual-person approvals for certain actions. Other suggested solutions included using a password manager for checking in/out password access to systems, and adding air gaps for different types of workloads (e.g., sensitive or non-sensitive).
Another area where ISACA constituents had consistent opinions involved government regulations and privacy issues. We saw significant activity in these areas in 2015, and I believe we can expect to see more of the same in 2016. A majority (63 percent) of respondents believe governments should not have backdoor access to encrypted information systems. A similar majority think privacy is being compromised by stronger cybersecurity regulations.
From an organizational standpoint, 84 percent favor regulation requiring companies notify customers within 30 days of a data breach discovery. Interestingly, only a third of respondents believe their organization would voluntarily share cyberthreat information if it experienced a breach.
These issues make a strong case for organizations to have certified, well-trained cybersecurity personnel. Finding well-qualified cybersecurity professionals, however, is an ongoing, global issue. Nearly half of global organizations are planning to hire more cybersecurity personnel in 2016, and 94% say they will expect to have a difficult time finding skilled candidates.
Not surprisingly, 81 percent say they would be more likely to hire a cybersecurity job candidate who holds a performance-based certification. That’s where ISACA and Cybersecurity Nexus (CSX) come in.
ISACA launched CSX in 2014 and expanded its certification offerings in 2015 with the introduction of the CSX Practitioner (CSXP) certification. CSXP is a vendor-neutral, performance-based cyber certification—the first of its kind—that focuses on key cybersecurity skills and requires demonstration of skills in a virtual lab environment in the Identify and Protect domains.
CSX has big plans for 2016, kicking off now with the introduction of the Cybersecurity Career Roadmap, which will help cybersecurity professionals identify new opportunities for career advancement. It provides the resources to continuously hone your skills, expand your knowledge, and start (and keep) your career on a trajectory toward achieving your goals.
ISACA is committed to all four of its core focus areas— audit/assurance, governance, risk and cybersecurity—and we will be delivering new resources in all of these areas over the course of the year. There has never been a more challenging or rewarding time to be in our field than right now.
I wish you a happy and successful 2016. It’s going to be an exciting year.