Top

Expectations of inevitable failure cause huge professional and personal angst

Cybersecurity becoming a black hole in more ways than just budget, research shows

A majority of senior cybersecurity professionals at the UK’s largest organisations struggle with feelings of helplessness and professional despair, new research by Green Raven Limited indicates. These negative emotions result from practitioners’ anticipation of eventual, inevitable failure to protect their organisation. Most practitioners say these same feelings spill over into and impact their personal lives.

With the standard, increasingly expensive, throw-money-at-it-and-hope-something-sticks approach to cybersecurity failing to stem global losses, practitioners yearn instead for a more precise understanding of threats so they can target budget and defences where they are needed. To meet this need and help tilt the odds back in their favour, practitioners have high hopes for new, AI-based tools.

Commissioned by specialist cybersecurity consultancy and reseller Green Raven Limited and conducted by research specialist Censuswide, the research comprised a quantitative survey of 200 cybersecurity professionals with responsibility for cybersecurity, cybersecurity teams and associated budgets in organisations of over 1,000 employees. The results showed that:

70% of them admit to feelings of professional despair/helplessness at the inexorable rise in cyber losses. Despite being responsible for rapidly increasing cybersecurity budgets, an unhealthy majority of 59% agree that it’s “a matter of when, not if” their organisation suffers loss due to a cybersecurity breach. Almost three-quarters say they would consider a major breach as a personal failure.

59% of respondents admit that feelings of professional despair/helplessness have a negative impact on their personal lives and/or mental health.

almost 70% are under pressure from senior management/boards to better justify their next annual cybersecurity budget against the actual risks and threats faced by their organis 66% of this cohort, and over half of all respondents, say they struggle to do so.

fewer than half of respondents believe their organisation is investing sufficiently in cybersecurity, despite nearly 90% of respondents reporting that their cybersecurity budgets are increasing. 5% describe budgets as increasing rapidly.

Expectations of inevitable failure cause huge professional and personal angst
Photo Credits: Unsplash

79% of respondents recognize that the ‘gold standard’ process for risk and compliance management comprises the four steps of identification, assessment, treatment, and monitoringthree-quarters of respondents say their organisation executes all four steps. Of the handful that disagreed, over half said their organisations rely instead on abbreviated methodologies based on scrutinising risks and emphasising defensive measures.

two-thirds of respondents say that not knowing from where the next cyberattack will come feels like permanently working with a blindfold on.

almost four in every five respondents expect that new, AI-enhanced tools will finally give them an advantage over threat actors in the form of better cyber threat intelligence which tells them from where an attack will likely come and/or where it will land. 

Interpreting the research, Morten Mjels, CEO of Green Raven Limited, commented: “The research appears to highlight some contradictory thinking by respondents: despite the impact on their lives, ever-rising cybersecurity budgets and the belief that a breach will occur in the end anyway, respondents are still happy to say that current cybersecurity strategies are ‘sustainable’ – when their own observations clearly indicate otherwise.

“Then there’s also the pressure: practitioners believe the defences in which they are responsible for investing increasingly large amounts of money will ultimately fail to protect their organisation, and expect to feel or to be held responsible when the big breach comes. It’s the cybersecurity version of the old maxim that ‘all political careers end in failure’: many cybersecurity practitioners appear resigned to the idea that their career could hit the buffers in a similar fashion. Having that expectation dangling over your head daily can’t be healthy and it’s unsurprising that it emotionally impacts dedicated, hard-working practitioners,” he observed.

“Third, it’s uncomfortable to learn that a full quarter of respondents at these big organisations recognise that they aren’t rigorously applying the gold standard, four-step process [of identification, assessment, treatment and monitoring] to risk and compliance management. This chimes with what we observe ‘in the field’, where we frequently encounter approaches, processes and solutions which resemble a two-and-a-half step process and ultimately emphasise defensive measures – the approach that currently isn’t working.

“It begs the entwined questions of whether or not a significant number of practitioners might misunderstand the gold standard process, and whether existing solutions and practices have contributed to a watering-down of that process that practitioners haven’t noticed happening,” he said.

“Finally, it’s clear that practitioners are pinning a great deal of expectation on new or emerging AI-based solutions to tilt the field back in their favour. Since they know that bad actors will also have access to new and emerging AI-based tools, it may be that they expect some sort of cancelling-out effect to occur, resulting in the cybersecurity equivalent of a nil-nil or low-scoring draw – which the research suggests they’d bite your hand off for,” he concluded.

Helping to change the ‘ever higher walls/deeper moats’ approach to cybersecurity, Darkscope offers the world’s premier predictive cyber threat intelligence for enterprises. Its unique, award-winning, AI-powered portfolio of solutions spots cyberattacks that others can’t, and before they take place – so those responsible for cybersecurity can reinforce their cyber defences where they know they’re about to be needed. This enables practitioners and organisations to regain control of their overall cybersecurity expenditure, as well as lowering their vulnerability to a successful breach.