No matter how good you are, your organization will be victimized: This is a hard one to swallow, but if we take the “five stages of grief” approach to cybersecurity, it’s better to reach the “acceptance” level than to remain in denial because much of what happens is simply out of your control.A global survey of 1,309 IT and security professionals found that 79% of organizations suffered a cyberattack within the past 12 months, up from 68% just a year ago, according to cybersecurity vendor Netwrix’s Hybrid Security Trends Report.Compromised credentials (16%) and phishing (15%) were the two top causes of data breaches identified in the 2024 edition of IBM’s annual Cost of a Data Breach report, conducted by the Ponemon Institute. So, despite security training, end users still fall for phishing attacks and still allow their credentials to be stolen.Once a hacker is insider your network, they can operate for months without your knowledge. Ponemon says it takes an average of 292 days to identify and contain breaches involving stolen credentials, 261 days to identify and resolve phishing attacks, and 257 days for social engineering attacks.What you can do: Gartner recommends that security and risk management (SRM) leaders shift from a prevention mindset to a focus on cyber resilience, which emphasizes minimizing impact and enhancing adaptability. In other words, adopt a “when, not if” mentality and accept that incidents are inevitable.
Breach blame will fall on you, and the fallout could include personal liability: As if getting victimized by a security breach isn’t enough, new Securities and Exchange Commission (SEC) rules put CISOs in the crosshairs for potential criminal prosecution. The new rules, which went into effect in 2023, require publicly listed companies to report any material cybersecurity incident within four business days.There have already been two high-profile cases brought against CISOs. Uber CSO Joe Sullivan was charged with obstructing a Federal Trade Commission investigation related to a data breach at the ridesharing company that occurred in 2016. He was found guilty and sentenced to probation in 2023.Also in 2023, the SEC charged SolarWinds CISO Timothy G. Brown with fraud and internal control failures related to the infamous SolarWinds breach of 2019. More recently, an appeals court dismissed nearly all counts against SolarWinds and Brown.But the concern remains that CISOs will take the fall for data breaches. In Proofpoint’s 2024 Voice of the CISO survey, 66% of global CISOs said they are concerned about personal, financial and legal liability in their role, up from 62% in 2023.What can you do: You can’t always prevent breaches, but you can have a solid incident detection and response plan in place. And there are ways CISOs can protect themselves from personal liability, including obtaining your own lawyer and lobbying for inclusion in your company’s D&O insurance policy. Establishing open lines of communication with the board and C-suite is essential, as is having a playbook that lays out what types of disclosures and filings are required to comply with the new regs. It’s also vital to consider how you communicate in order to safeguard yourself from liability.
Skills and talent shortages aren’t going away anytime soon: The raw numbers are always a bit shocking when ISC2 unveils its annual cybersecurity workforce study. This year, the shortage of workers grew by 19% to hit 4.8 million, while the overall size of the workforce remained flat at 5.8 million.Even more troubling than the staff shortage numbers, 90% of those surveyed said there are skills shortages in their organizations, with two thirds (64%) viewing these shortages as more serious than the personnel shortages they are dealing with.”It’s not just about the people available in the market. It’s about the skilling, and I think that’s where the focus needs to be, getting the right skill sets into the right job roles,” said Jon France, CISO at ISC2.The cyber skills gap has increased 8%, with two out of three organizations reporting moderate-to-critical skills gaps, according to the World Economic Forum’s Global Cybersecurity Outlook 2025.This double whammy makes organizations more vulnerable to attack and renders organizations less equipped to respond to breaches.What you can do: Here’s where AI can help. Organizations can leverage AI to automate and optimize manual processes. Upskilling existing staffers is vital. And recruiting from within the organization is another tactic that can pay dividends.
The bad actor plotting an attack might be sitting right next to you: This is another tough pill to swallow, but insider attacks, either employees stealing data to sell for profit or disgruntled employees trying to do harm, are on the rise. When security pros strategize about how to stay one step ahead of cybercriminals, the image that typically springs to mind is somebody from Kazakhstan, not somebody in the next cubicle.But, according to a survey from Gurucul, 60% or organizations reported insider attacks in 2023, and that number jumped to 83% in 2024. The 2025 Ponemon Cost of Insider Risks Report shows the cost of an insider attack rising to $17.4M, up from $16.2M in 2023. What can you do: Here’s another area where AI can be put to good use. AI and machine learning systems can conduct threat hunting activities and can analyze human behavior to try to spot suspicious activity to pre-emptively prevent insider attacks.
Burnout remains a significant problem: Gartner sums it up this way: “The ever-shifting threat and technology landscape, increasing business demand, and regulatory requirements, coupled with the endemic talent shortage, is generating a perfect storm. As a result, the security industry is experiencing a mental health crisis as security and risk management leaders and their teams experience increasing levels of burnout.”Gartner analyst Deepti Gopal adds, “Cybersecurity professionals are facing unsustainable levels of stress. CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”The vicious cycle starts with an understaffed security department where practitioners are required to work unsustainably long hours. Fatigue exacerbates the pre-existing stress associated with the job, which leads to burnout.The implications can be disastrous; burned out workers might skip routine tasks like installing patches or ignore alerts (alert fatigue), leading to more breaches. In fact, 39% of IT leaders fear a major incident due to overburdened staff, according to a recent survey from Adaptivist.What you can do: Experts recommend a multi-pronged approach that includes attempting to reduce cognitive overload by simplifying and streamlining processes, automating as much of the job as possible, and making sure to provide adequate and frequent training and upskilling.In addition, HR should be involved with stress management training, resilience-building programs, flexible work arrangements, digital detox programs, and other tactics designed to address burnout.Gartner predicts that by 2027, CISOs investing in cybersecurity-specific personal resilience programming will see 50% less burnout-related attrition than peers who don’t.
The bad actor plotting an attack might be sitting right next to you: This is another tough pill to swallow, but insider attacks, either employees stealing data to sell for profit or disgruntled employees trying to do harm, are on the rise. When security pros strategize about how to stay one step ahead of cybercriminals, the image that typically springs to mind is somebody from Kazakhstan, not somebody in the next cubicle.But, according to a survey from Gurucul, 60% or organizations reported insider attacks in 2023, and that number jumped to 83% in 2024. The 2025 Ponemon Cost of Insider Risks Report shows the cost of an insider attack rising to $17.4M, up from $16.2M in 2023. What can you do: Here’s another area where AI can be put to good use. AI and machine learning systems can conduct threat hunting activities and can analyze human behavior to try to spot suspicious activity to pre-emptively prevent insider attacks.
Burnout remains a significant problem: Gartner sums it up this way: “The ever-shifting threat and technology landscape, increasing business demand, and regulatory requirements, coupled with the endemic talent shortage, is generating a perfect storm. As a result, the security industry is experiencing a mental health crisis as security and risk management leaders and their teams experience increasing levels of burnout.”Gartner analyst Deepti Gopal adds, “Cybersecurity professionals are facing unsustainable levels of stress. CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”The vicious cycle starts with an understaffed security department where practitioners are required to work unsustainably long hours. Fatigue exacerbates the pre-existing stress associated with the job, which leads to burnout.The implications can be disastrous; burned out workers might skip routine tasks like installing patches or ignore alerts (alert fatigue), leading to more breaches. In fact, 39% of IT leaders fear a major incident due to overburdened staff, according to a recent survey from Adaptivist.What you can do: Experts recommend a multi-pronged approach that includes attempting to reduce cognitive overload by simplifying and streamlining processes, automating as much of the job as possible, and making sure to provide adequate and frequent training and upskilling.In addition, HR should be involved with stress management training, resilience-building programs, flexible work arrangements, digital detox programs, and other tactics designed to address burnout.Gartner predicts that by 2027, CISOs investing in cybersecurity-specific personal resilience programming will see 50% less burnout-related attrition than peers who don’t.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3996353/6-hard-truths-security-pros-must-learn-to-live-with-3.html
