Nearly two-thirds of organizations lack 24/7 cybersecurity coverage throughout the year due to staffing shortages, a Trend Micro report published Thursday revealed.
The problem appears to be just one symptom of underlying issues that leaves security departments under-resourced and drives reactive, rather than proactive, cybersecurity spending.
“What we’re finding is that an alarming percentage of organizations worldwide suffer from a serious disconnect between business leadership and IT/security leadership. Many boardrooms lack either the technical knowledge or data clearly correlating cyber risk to business risk,” a Trend Micro spokesperson told SC Media.
The Trend Micro study was conducted by Sapio Research and included interviews with 2,600 IT leaders around the globe. Nearly half of respondents – 48% – said leaders in their organization don’t consider cybersecurity to be their responsibility.
The study also revealed disjointed answers to the question of who should ultimately hold responsibility for cyber-related business risks, with only 42% saying the buck should stop with the CEO.
Thirty-four percent put the onus on the CIO, 26% on the CISO, 20% on the CFO, 16% on the COO and 14% on the CMO, with multiple choices allowed per response. Additionally, 31% said IT teams should ultimately be in charge of managing cybersecurity risks.
“A lack of clear leadership on cybersecurity can have a paralyzing effect on an organization – leading to reactive, piecemeal and erratic decision making,” Trend Micro Technical Director Bharat Mistry said in a statement. “Companies need CISOs to clearly communicate in terms of business risk to engage their boards.”
Business struggle to manage growing attack surface
Trend Micro said the results of its study are a troubling sign as cyber threats only continue to grow, with attack surfaces constantly expanding as organizations adopt new technologies and overall attack volumes rising. The company said it blocked 161 billion cyber threats in 2023, which is a 10% increase from 2022.
Additionally, the Identity Theft Resource Center’s 2023 Data Breach Report found that the number of publicly reported data breaches in the United States reached an all-time high last year, at more than 3,200 compromises affecting more than 353 million people.
Nearly all of the IT leaders interviewed for the Trend Micro study (96%) said they were concerned about their attack surface, and more than a third (36%) said they were worried they lacked a method to discover, assess and mitigate high-risk areas. Additionally, 19% said they aren’t able to work from a single source of truth (SSOT), which can occur when an organization’s cyber toolkit becomes “bloated” with siloed point solutions.
More than half of respondents – 54% – said their organization’s attitude toward cyber risk was inconsistent from month to month and only 17% strongly felt that their organization’s leadership saw cybersecurity as their responsibility.
Gaps in cybersecurity resources and strategy were indicated by other troubling statistics: only 34% of respondents said their organizations planned to follow regulatory and other frameworks such as NIST’s Cybersecurity Framework, and just 35% said they had sufficient attack surface management techniques to measure the risk of their attack surface.
“We have conducted multiple surveys like this over the past few years. While they are not each identical in content, they do reveal important trends. While this phenomenon is not rapidly worsening, the numbers remain pretty daunting. We previously found that over 40% of IT leaders believe their organization’s attack surface is ‘spiraling out of control,’” a Trend Micro spokesperson told SC Media.
The report noted that government regulations, such as the United States’ Security and Exchange Commission (SEC) rules and the European Union’s NIS2 directive, may prove necessary to keep businesses and their leaders accountable for managing cybersecurity risk.
Additionally, Trend Micro told SC Media that emerging technologies like AI can assist in mitigating challenges like staffing shortages, “whether it’s streamlining tedious and repetitive security tasks or using machine learning to gather better threat intelligence.”
“That being said, organizations that do not have a security-first culture will not be able to make the most of these tools, and risks will remain elevated,” the spokesperson added.
