{"id":3393,"date":"2025-06-02T10:00:00","date_gmt":"2025-06-02T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3393"},"modified":"2025-06-02T10:00:00","modified_gmt":"2025-06-02T10:00:00","slug":"6-hard-truths-security-pros-must-learn-to-live-with","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3393","title":{"rendered":"6 hard truths security pros must learn to live with"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A career in cybersecurity is attractive for a number of reasons. The perpetual shortage of security practitioners means you can always get a job, and the tight talent market ensures a shot at great pay and benefits.<\/p>\n

Plus, for people who thrive in a fast-paced, high-pressure environment, there\u2019s certainly never a dull moment in security. And you\u2019re doing something important; working to keep your organization safe from cyberattack.<\/p>\n

On the flip side, hard truths abound for security pros. Here are six of the most challenging and what you can do to mitigate and deal with them.<\/p>\n

Every technological leap will be used against you<\/strong><\/h2>\n

Information technology is a discipline built largely on rapid advances. Some of these technological leaps can help improve your ability to secure the enterprise. But every last one of them brings new challenges from a security perspective, not the least of which is how they will be used to attack your systems, networks, and data.<\/p>\n

Generative AI, for example, can be used to augment security operations<\/a>, but it is also proving to be a challenge to secure<\/a>. Moreover, gen AI is enabling hackers to generate more convincing phishing lures<\/a>, voice spoofs, and deepfake videos<\/a> \u2014 and to mount multi-channel attacks that span email, social media, and collaboration platforms.<\/p>\n

Eighty-seven percent of security professionals report that their organization has encountered an AI-driven cyberattack in the past year, according to\u00a0SoSafe\u2019s 2025 Cybercrime Trends<\/a>, a survey of 600 global security professionals. While 91% of security experts surveyed said they anticipate a surge in AI-driven threats over the next three years, only 26% express high confidence in their ability to detect these attacks.<\/p>\n

As if that weren\u2019t enough, quantum computing is coming fast, posing new security risks<\/a>. Chris Dimitriadis<\/a>, chief global strategy officer at ISACA, says,\u00a0\u201cGiven recent quantum advancements, we can expect quantum computing to be present in our day-to-day platforms and processes within the next few years. While this will present great opportunities for innovation in several industries, significant cybersecurity risks emerge. Cryptography is present in all businesses, industries, and sectors, and quantum computing has the potential to break the cryptographic protocols that we use, rendering simple services useless.\u201d<\/p>\n

What you can do:<\/strong> Organizations need to start preparing now<\/a>. Hackers are already engaged in so-called \u201charvest now, decrypt later\u201d attacks in which they steal encrypted data for decryption via quantum at a later date. Staffers need to be trained on both AI and quantum. Security execs need to develop and implement policies<\/a>, put guardrails in place<\/a>, and deploy the appropriate tools to make sure that the organization is prepared for these new types of threats.<\/p>\n

No matter how good you are, your organization will be victimized<\/h2>\n

This is a hard one to swallow, but if we take the \u201cfive stages of grief\u201d approach to cybersecurity, it\u2019s better to reach the \u201cacceptance\u201d level than to remain in denial because much of what happens is simply out of your control.<\/p>\n

A global survey of 1,309 IT and security professionals found that 79% of organizations suffered a cyberattack within the past 12 months, up from 68% just a year ago, according to cybersecurity vendor Netwrix\u2019s Hybrid Security Trends Report.<\/a><\/p>\n

Compromised credentials (16%) and phishing (15%) were the two top causes of data breaches identified in the 2024 edition of IBM\u2019s annual Cost of a Data Breach<\/a> report, conducted by the Ponemon Institute. \u00a0So, despite security training, end users still fall for phishing attacks and still allow their credentials to be stolen.<\/p>\n

Once a hacker is insider your network, they can operate for months without your knowledge. Ponemon says it takes an average of 292 days to identify and contain breaches involving stolen credentials, 261 days to identify and resolve phishing attacks, and 257 days for social engineering attacks.<\/p>\n

What you can do:<\/strong> Gartner recommends that security and risk management (SRM) leaders shift from a prevention mindset to a focus on cyber resilience<\/a>, which emphasizes minimizing impact and enhancing adaptability. In other words, adopt a \u201cwhen, not if\u201d mentality and accept that incidents are inevitable.<\/p>\n

Breach blame will fall on you \u2014 and the fallout could include personal liability<\/h2>\n

As if getting victimized by a security breach isn\u2019t enough, new Securities and Exchange Commission (SEC) rules put CISOs in the crosshairs for potential criminal prosecution<\/a>. The new rules, which went into effect in 2023, require publicly listed companies to report any material cybersecurity incident within four business days.<\/p>\n

There have already been two high-profile cases brought against CISOs. Uber CSO Joe Sullivan was charged with obstructing a Federal Trade Commission investigation related to a data breach at the ridesharing company<\/a> that occurred in 2016. He was found guilty<\/a> and sentenced to probation in 2023.<\/p>\n

Also in 2023, the SEC charged SolarWinds CISO Timothy G. Brown<\/a> with fraud and internal control failures related to the infamous SolarWinds breach of 2019<\/a>. More recently, an appeals court dismissed nearly all counts against SolarWinds and Brown.<\/p>\n

But the concern remains that CISOs will take the fall for data breaches. In Proofpoint\u2019s 2024 Voice of the CISO survey, 66% of global CISOs said they are concerned about personal, financial and legal liability<\/a> in their role, up from 62% in 2023.<\/p>\n

What can you do:<\/strong> You can\u2019t always prevent breaches, but you can have a solid incident detection and response plan in place. And there are ways CISOs can protect themselves from personal liability<\/a>, including obtaining your own lawyer and lobbying for inclusion in your company\u2019s D&O insurance policy<\/a>. Establishing open lines of communication with the board and C-suite is essential, as is having a playbook that lays out what types of disclosures and filings are required to comply with the new regs. It\u2019s also vital to consider how you communicate<\/a> in order to safeguard yourself from liability.<\/p>\n

Skills and talent shortages aren\u2019t going away anytime soon<\/h2>\n

The raw numbers are always a bit shocking when ISC2 unveils its annual cybersecurity workforce study<\/a>. This year, the shortage of workers grew by 19% to hit 4.8 million, while the overall size of the workforce remained flat at 5.8 million.<\/p>\n

Even more troubling than the staff shortage numbers, 90% of those surveyed said there are skills shortages in their organizations, with two thirds (64%) viewing these shortages as more serious than the personnel shortages they are dealing with.<\/p>\n

\u201cIt\u2019s not just about the people available in the market. It\u2019s about the skilling, and I think that\u2019s where the focus needs to be \u2014 getting the right skill sets into the right job roles,\u201d said Jon France<\/a>, CISO at ISC2.<\/p>\n

The cyber skills gap has increased 8%, with two out of three organizations reporting moderate-to-critical skills gaps, according to the World Economic Forum\u2019s Global Cybersecurity Outlook 2025.<\/a><\/p>\n

This double whammy makes organizations more vulnerable to attack and renders organizations less equipped to respond to breaches.<\/p>\n

What you can do:<\/strong> Here\u2019s where AI can help. Organizations can leverage AI to automate and optimize manual processes. Upskilling existing staffers is vital. And recruiting from within the organization<\/a> is another tactic that can pay dividends.<\/p>\n

The bad actor plotting an attack might be sitting right next to you<\/h2>\n

This is another tough pill to swallow, but insider attacks<\/a>, either employees stealing data to sell for profit or disgruntled employees trying to do harm<\/a>, are on the rise. When security pros strategize about how to stay one step ahead of cybercriminals, the image that typically springs to mind is somebody from Kazakhstan, not somebody in the next cubicle.<\/p>\n

But, according to a survey from Gurucul, 60% or organizations reported insider attacks in 2023, and that number jumped to 83% in 2024. The\u00a02025 Ponemon Cost of Insider Risks Report<\/a>\u00a0shows the cost of an insider attack rising to $17.4M, up from $16.2M in 2023.\u00a0<\/p>\n

What can you do:<\/strong> Here\u2019s another area where AI can be put to good use. AI and machine learning systems can conduct threat hunting activities and can analyze human behavior to try to spot suspicious activity to pre-emptively prevent insider attacks.<\/p>\n

Burnout remains a significant problem<\/h2>\n

Gartner sums it up this way: \u201cThe ever-shifting threat and technology landscape, increasing business demand, and regulatory requirements, coupled with the endemic talent shortage, is generating a perfect storm.\u00a0As a\u00a0result,\u00a0the security industry is\u00a0experiencing a\u00a0mental health crisis as security and risk management leaders and their teams experience increasing levels of burnout.\u201d<\/p>\n

Gartner analyst Deepti Gopal<\/a> adds, \u201cCybersecurity professionals are facing unsustainable levels of stress. CISOs are on the defense, with the only possible outcomes that they don\u2019t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.\u201d<\/p>\n

The vicious cycle starts with an understaffed security department where practitioners are required to work unsustainably long hours. Fatigue exacerbates the pre-existing stress associated with the job, which leads to burnout.<\/p>\n

The implications can be disastrous; burned out workers might skip routine tasks like installing patches or ignore alerts (alert fatigue<\/a>), leading to more breaches. In fact, 39% of IT leaders fear a major incident<\/a> due to overburdened staff, according to a recent survey from Adaptivist<\/a>.<\/p>\n

What you can do<\/strong>: Experts recommend a multi-pronged approach that includes attempting to reduce cognitive overload by simplifying and streamlining processes, automating as much of the job as possible, and making sure to provide adequate and frequent training and upskilling.<\/p>\n

In addition, HR should be involved with stress management training<\/a>, resilience-building programs, flexible work arrangements, digital detox programs, and other tactics designed to address burnout.<\/p>\n

Gartner predicts that by 2027,\u00a0CISOs\u00a0investing in cybersecurity-specific\u00a0personal resilience programming<\/a>\u00a0will see 50% less burnout-related attrition than peers who don\u2019t.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A career in cybersecurity is attractive for a number of reasons. The perpetual shortage of security practitioners means you can always get a job, and the tight talent market ensures a shot at great pay and benefits. Plus, for people who thrive in a fast-paced, high-pressure environment, there\u2019s certainly never a dull moment in security. […]<\/p>\n","protected":false},"author":0,"featured_media":3394,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3393"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3393"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3393\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3394"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}