Lack of cybersecurity improvement should be concern for everyone

A recent cybersecurity survey paints a picture of the current threats and challenges facing cybersecurity professionals. The picture is not pretty, and it matters to your business and organization.

The Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) conducted their third annual survey of cybersecurity professionals across the globe, with 90% of respondents coming from North America. The survey focused on careers, skills development, organizational considerations, security incidents and vulnerabilities, skills shortage, and activities.

While the results available for anyone to download, a few of the conclusions identified by the report worth noting include:


Cybersecurity teams are participating in data privacy efforts but may not be up to the task.

The results indicate that while the majority of organizations are stepping up their data privacy efforts, cybersecurity professionals do not think they have been given a clear direction for data privacy, nor are they properly trained.

Training and skills development remains a problem.

Nearly two-thirds of cybersecurity professionals do not believe their employer is providing the right level of training and skills development. The professionals understand that training needs are important to maintain the security of their organization, and a majority of professionals believe the job demands don’t allow them the time to complete training.

The virtual Chief Information Security Officer (vCISO) is an attractive career option.

A small number of organizations surveyed utilize a vCISO, an outsourced CISO option. Half of CISOs surveyed have either worked as a vCISO or considered working as a vCISO. Many IT providers in the West KY region offer vCIO or vCISO services, which could be a very attractive option for a small business to consider.

Lacking employee security awareness training and a growing workload lead to security incidents.

Nearly half of respondents stated that over the last two years, their organization has experienced at least one cybersecurity incident, with another 40% not knowing. The primary reasons noted for the incidents are (1) lack of end-user security awareness training, and (2) the growing workload won’t allow the cybersecurity team to keep up.

The cybersecurity skills shortage is not improving.

Four out of five cybersecurity professionals have indicated that the cybersecurity skills shortage has impacted their organization. Due to the shortage, businesses are reporting a number of impacts including: (1) causing businesses to alter their hiring and operating strategies; (2) limiting the amount of time that cybersecurity professionals can work with the business units; (3) limiting professionals’ ability to learn new security technologies; and (4) creating high burn-out rates among cybersecurity professionals.

Perhaps the most concerning conclusion identified in the report is that “cybersecurity progress has been marginal at best over the last three years.” The challenges identified by the by cybersecurity professionals and the conclusions reached by the report are a large concern.

 First, do the results from the ESG/ISSA survey matter to a small business? Yes. As previously stated, over 40% of cyber-attacks target small businesses. All businesses and organizations are targets from those with malicious intent, and everyone need to take the cybersecurity threats as serious threats facing the business.

While the challenge is daunting, we are not without hope. West Kentucky is home to brilliant cybersecurity professionals, strong IT security companies, and great training programs.

For small businesses trying to determine how to address these challenges, understand that you don’t have to do it along. This column has been used over the last few years to offer up tips and suggestions on how to move your business forward and improve its cybersecurity. It is my sincere hope that you have acted on some of the lessons learned.

Your business does not have to do it alone. West Kentucky is home to companies that assess your risks and develop a cybersecurity plan that would be appropriate for your business. Regional IT companies offer security and network monitoring. Local companies will even offer you a vCIO or vCISO to help planning, implementing, and operating a cybersecurity strategy for your small business.

Post-secondary institutions offer high-quality cybersecurity programs. West Kentucky Community & Technical College’s Computer & Information Technologies program offers an associate of science in cybersecurity. Murray State University’s Telecommunication Systems Management program offers a bachelor’s degree track in cybersecurity. Graduates of these programs have become leaders in cybersecurity around the region and country. The expertise housed within our regional educational institutions is large and available to support our local businesses as they have grown an improve their cybersecurity programs.

As your business considers its next cybersecurity steps, the technology sector within our region stand ready to assist you. If you would like more information or to be connected to some of the resources in our region, please contact me.

To read more on the report from ESG/ISSA, download the entire report by visiting

Michael Ramage is the director of the Center for Telecommunications Systems Management (CTSM) at Murray State University. He can be reached at [email protected] or 270-809-3987 for questions or more information.

Originally published in the Four Rivers Business Journal and available at

Share Online