Annual Security Professionals Survey Reveals Resource Shortage Biggest Challenge, as Budgets Grow Slower than Rising Threat Levels

A lack of resources is the single biggest challenge for the IT security market, followed by a lack of experience and skills, according to “The Security Profession in 2018/19” report from the Chartered Institute of Information Security (previously known as the IISP) – the independent not-for-profit organisation responsible for promoting professionalism and skills in the IT profession.  At least 45 percent of respondents chose a lack of resources as the biggest challenge: compared to 37 percent for a lack of experience, and 31 percent for a lack of skills. Ultimately, security professionals feel their budgets are not giving them what they need – only 11 percent said security budgets were rising in line with, or ahead of, the cyber security threat level, while the majority (52 percent) said budgets were rising, but not fast enough.

Professionals were also clear about where threats originate. Overwhelmingly, 75 percent perceived people are the biggest challenge they face in cyber security – with processes and technology near-equal on 12 and 13 percent respectively. This may explain the need for more resources even as budgets increase: people are a far more complex issue to deal with. Yet at the same time, there are signs of improvement. More than 60 percent of IT professionals say that the profession is getting better – or much better – at dealing with security incidents when they occur, with only 7 percent saying the profession is getting worse. Conversely, less than half (48 percent) of respondents felt the industry is getting better at defending systems from attack and protecting data, with 14 percent saying the profession is getting worse. This suggests an ongoing move in the industry – from focusing on prevention, to an all-encompassing approach to security.

“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO, Chartered Institute of Information Security. “As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”

Other relevant statistics from the research included:

  • Asked to identify the worst or most notable security events or breaches of the last year, more than one third of respondents pointed to Facebook, both for its own breaches and for its relationship with Cambridge Analytica.
  • British Airways was second, with almost a quarter of responses. All the incidents highlighted by the most respondents were as notable for the aftermath of the breach as for the breach itself.
  • The innovation predicted to have the greatest effect on security in general was AI and machine learning technology – suggesting this is an area for organisations and individuals to target their skills development.

The focus on a lack of resources, experience and skills suggests that IT security teams are feeling the effect of the IT skills shortage. Yet this is also an opportunity for individuals. The majority of IT security professionals surveyed believe this is a good time to join the profession – 86 percent say the industry will grow over the next three years and 13 percent say it will “boom”. There is also an opportunity, and need, for women in the industry – 89 percent of respondents identified as male, and 9 percent as female. More than 37 percent say they have better prospects than a year ago, and the factors attracting people to take security jobs are the same as then – remuneration, followed by scope for progression and variety of work. Insufficient money, or a lack of opportunity, also cause people to leave security positions – yet the top factor causing people to leave their jobs is bad or ineffectual management.

“In the middle of a skills shortage, organisations need to treat their workers carefully. Losing them through a lack of investment, through failing to help develop skills, or simple poor management, cannot be allowed,” continued Amanda Finch. “At the same time, they cannot simply hire anyone to fill the skills gap – bringing the wrong person into a role can be a greater risk than an empty seat. Instead, organisations must understand what roles they need to fill; what skills those roles demand; and what skills applicants have. Armed with this, businesses can fill roles and support workers throughout their careers with the development, opportunities and training they need. This doesn’t only mean developing technical skills, but the social, organisational and strategic skills that are essential to put security at the heart of the business.”

The survey covered a range of IT security professionals from a variety of backgrounds, both members and non-members. The full report can be read here.



Vulnerabilities can allow hackers to bypass £30 contactless limit – comment from OneSpan

Security researchers have discovered flaws that could allow hackers to bypass the UK contactless verification limit of £30 on Visa contactless cards. The researchers, from Positive Technologies, tested the attack with five major UK banks, successfully bypassing the UK’s £30 limit (which is used to safeguard against fraudulent losses) on all tested Visa cards, irrespective of the card terminal. They also found that this attack is possible with cards and terminals outside of the UK.

In response to the report, below is a comment from Frederik Mennes, director of product security at OneSpan :

This attack requires the adversary to manipulate the data flow between the payment terminal and the payment card, which requires the them to be in very close proximity to both the terminal and payment card, which limits the scalability of the attack. The most practical way to implement the attack probably consists of adding an extension to the terminal that acts as a man-in-the-middle between the terminal and card. The extension should look as if it is a genuine part of the terminal, and this is similar to skimming attacks against magstripe-based payment cards, whereby a fake terminal is used to read the content of a card’s magstripe.

Banks, merchants and consumers should do the following to prevent this type of attack:

  • Banks should analyse financial transactions for all payments that they process, and try to identify fraudulent transactions as much as possible
  • Merchants should inspect their payment terminals regularly and make sure there are no extensions to it. Consumers should also look for strange additions to payment terminals.
  • Consumers should keep their payment card in a screening wallet, so that it cannot be read inadvertently. They should also enable SMS notifications for new payments and contact their bank immediately if they notice a suspicious payment.



Capital One breach – Carbon Black’s cybersecurity chief comments

In response to the recent Capital One breach, below is a comment from Tom Kellermann, Chief Cybersecurity Officer at Carbon Black, and former cyber commissioner for President Obama:

“This breach highlights a few important realities for cybersecurity in 2019. First, perimeter-based security measures will not prevent 100% of attacks, 100% of the time. Without visibility into what’s occurring on an enterprise, a business may be completely blind to attacks like this, especially when you consider that Paige Thompson once worked at Amazon as an engineer for the same server business that supported Capital One. Modern threats comes can come from all domains, including former employees, partners or contractors. A business needs to consider all the potential risks and work to gain visibility across the business into where potential weaknesses exist.

Second, it’s absolutely imperative for businesses to be securing their cloud infrastructures and the critical data they hold. Capital One is one of the most ‘cloud-forward’ financial companies in the world; they should be partnering with solution providers who are intimately aware of how to keep the cloud secure.

What should not be lost in this is that Capital One is one of the globe’s most recognisable and ubiquitous financial brands that houses critical financial and personal information. As Carbon Black’s research has found, financial institutions are increasingly being targeted by advanced attacks that leverage “island hopping,” lateral movement, counter incident response and fileless attacks. The modern bank heist is now in cyberspace.

Capital One customers who are concerned about this breach should keep a close eye on their statements and report any suspicious activity immediately. Customers should also consider signing up for security alerts from Capital One and be extra vigilant over the coming months for possible phishing emails.”



Inspirata and Fujifilm Strike Commercial Partnership to Supply Digital Pathology Services to the UK National Health Service

Cancer informatics and digital pathology provider Inspirata and radiology enterprise imaging specialists Fujifilm announced today a commercial partnership which enables Fujifilm to supply and service Inspirata’s digital pathology solutions in the United Kingdom.

With increased NHS interest in digital pathology as a vehicle for reducing cancer case turnaround times, caused in part by a chronic shortage in histopathologists, the wholly complementary nature of Inspirata and Fujifilm’s respective technologies bridges a technical gap between pathology, radiology and oncology, facilitating a more joined-up and longitudinal approach to patient care.

“Fujifilm’s expertise in advanced IT solutions and service delivery is exceptional,” details Inspirata EVP and co-founder, Dr Mark Lloyd. “Their experienced team have a proven record of delivering, implementing and servicing national healthcare IT solutions and represent the perfect partner for Inspirata as we respond to ever-increasing UK demand for our digital pathology and cancer informatic services.”

With both organisations having proactively embraced an ‘open’ or ‘vendor-neutral’ approach to supporting their customers, the Inspirata and Fujifilm partnership is one borne out of a shared commitment to providing NHS trusts with the freedom and flexibility to utilise only the technologies which are right for them.  In addition to affording genuine choice in both how and with whom NHS trusts can transition to digital pathology, this partnership also provides Inspirata customers with the option to utilise Fujifilm’s award-winning vendor-neutral archive, while simultaneously enhancing Inspirata’s current DICOM capabilities should this file format prove itself sufficiently robust as a universal standard for digital pathology.

“This partnership makes great business sense as it enables both Inspirata and Fujifilm to focus 100% on their respective core competencies without fear of becoming overstretched by trying to be all things, to all people,” explains Inspirata’s European GM, Tim Wing. “However, in blending the digital pathology expertise of Inspirata, with the advanced IT solutions and experience of large-scale implementation of Fujifilm, and both organisations’ relentless focus on openness and empowering Trusts in their choice of hardware, it is very evident that the real beneficiaries are going to be our shared UK customers and ultimately NHS patients.”

“In deciding to provide digital pathology services in the UK our evaluation of potential partners focussed on two important criteria,” explains Kevin Shah, Head of Enterprise New Business, Fujifilm Europe.  “First, the partner had to offer an innovative, best-in-class technology complete with unparalleled subject matter expertise.  Secondly, it was imperative that they share the commitment to openness and vendor neutrality for which we have become synonymous.  Inspirata deliver on both counts and as such our combined partnership will see us deliver a truly unique solution to the UK market.”