Most Recent Blogs

Remarkably, Many Organizations Still Opt for 'Good Enough' Cybersecurity

Posted: January 23, 2017   /   By: Jon Oltsik   /   Tags: Cybersecurity, malware, CISO, cybercrime, ISSA

security_key.jpgLate last year, ESG published a research report titled Through the Eyes of Cyber Security Professionals, in collaboration with the Information Systems Security Association (ISSA). As part of this report, 437 cybersecurity professionals and ISSA members were asked if they’d experienced a number of types of security incidents.  The research revealed that:

  • 39% of organizations experienced one or several security incidents resulting in the need to reimage one or several endpoints or servers.
  • 27% of organizations experienced one or several incidents of ransomware.
  • 20% of organizations experienced one or several incidents resulting in the disruption of a business application.
  • 19% of organizations experienced one or several incidents resulting in the disruption of a business process.

It should be noted that between 23% and 30% of the survey population responded “don’t know” or “prefer not to say” when asked about different types of security incidents, so the percentages represented above are likely much higher.

Why are so many organizations experiencing so many security incidents? Lots of reasons, including apathy, money, and the cybersecurity skills shortage. For example:

  • 31% of organizations say that their cybersecurity teams aren't large enough for their needs and that this shortage directly led to one or several security incidents.
  • 26% of organizations point to a lack of adequate training for non-technical employees as a direct cause of one or several security incidents.
  • 21% of organizations say that business and executive management tend to treat cybersecurity as a low priority, and this attitude was a direct cause of one or several security incidents.
  • 20% of respondents say that their cybersecurity budgets aren't big enough for the size of their organizations and that this gap was a direct cause of one or several security incidents.

It’s 2017 and cybersecurity issues are a major international issue. Despite this reality, many organizations continue to maintain the same “good enough” security attitude of the past. These organizations have no one else to blame when they are inevitably breached but unfortunately, we the people must deal with the consequences of their irresponsible actions. If this isn’t a reason for changes in public cybersecurity policies, nothing is. 

Note:  The two ESG/ISSA research reports are available for free download here

Jon Oltsik

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. With almost 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies.

Jon was named one of the top 100 cybersecurity influencers for 2015 by Onalytica, and is active as a committee member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners. Often quoted in the business and technical press, Jon is also engaged in cybersecurity issues, legislation, and technology discussions within the U.S. government.

Jon has an M.B.A. and a B.A. from the University of Massachusetts, Amherst. As an escape from cybersecurity intelligence and technology, he plays guitar in a rock-and-roll cover band.

Posts by Topic

see all