Many security officers believe that cyber attackers have already outpaced them, according to Fortinet’s latest chief information security officer (CISO) report.
Fortinet’s global CISO study, conducted in partnership with Forbes, aims to find out how CISOs manage escalating cyber threats and limited resources.
The report found that risk of cyber attacks might further increase in the future – with 84% of the respondents expecting the risk to escalate into the foreseeable future, while 21% believed the capabilities of cyber attackers were already outpacing their ability to defend their organization.
Dawn Cappelli, vice president, global security and chief information security officer at industrial automation and information technology provider Rockwell Automation, noted that the threat landscape has changed dramatically over the last few years.
“Everyone realized that cyber threats like ransomware are out there and can hit anyone. Everyone realized that you don’t have to be the target, and you don’t have to have something specific that they’re after. It’s a dynamic environment,” Cappelli said.
While many of the respondents cited lack of budget as a limitation, 35% pointed to a lack of strategy and lack of senior management support as top barriers they face.
To help organizations better deal with cyber threats, security experts pointed to the need for an enterprise-wide, holistic approach to security and for the hiring of more cybersecurity staff.
“The ownership of security does not belong just to my organization. It belongs to everybody – developers, for example, or the infrastructure team. They often manage firewalls and build cloud environments,” said Emily Heath, vice president, chief information security officer at United Airlines.
“If we work alongside them and partner with them, it doesn’t always have to be my team who take actions of security. It can be part of their jobs as well. It’s about leveraging the rest of the organization.”
Cappelli added: “We were all one big team “and we recognized that some people were subject-matter experts in one area, and some people were subject-matter experts in another. Seeing us all as one team was the best thing that we could have done, because if IT security tries to create a plan for securing a plant without working with the industrial automation engineers, it will be hard to get the buy-in that you need.”