A warning issued by the new head the United Kingdom's National Cyber Security Centre (NCSC) should be sobering to cybersecurity pros everywhere. Speaking at the agency's headquarters on Tuesday, Richard Horne declared that the cyber-risks faced by his nation and its allies are widely underestimated.
Horne, referring to the launch of the NCSC's Annual Review, which covers the agency's activities from September 2023 to August 2024, shared his big takeaway:
“What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threats we face and the defenses that are in place to protect us. And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries."
—Richard Horne
Horne's remarks came on the heels of a report by cybersecurity consultancy Green Raven that found that senior cybersecurity personnel at some of the United Kingdom's largest organizations struggle with feelings of helplessness and professional despair. The report, based on a survey of 200 professionals with responsibility for cybersecurity, cybersecurity teams, and associated budgets in organizations of over 1,000 employees, found that 70% of them admit to feelings of professional despair or helplessness at the rise in cyber-losses.
Green Raven CEO Morten Mjels said one ray of hope for cybersecurity, AI, is all dependent on industry advancement of tools. Here are the key challenges outlined in the NCSC Annual Report and the Green Raven survey — and analysis from U.S. cybersecurity subject-matter experts.
[ See Special Report: Secure Your Organization Against AI/ML Threats ]
That helpless feeling about cybersecurity is universal
Mjels identified two factors that can contribute to a cybersecurity professional’s feeling of helplessness. One is alert fatigue.
“Some of the worst I have seen is warnings being sent every minute, which can overwhelm cyber-pros. They think they are constantly firefighting when, in fact, they are dealing with sometimes irrelevant information that has just been marked as critical due to precautions.”
—Morten Mjels
The other factor is lack of awareness beyond the security team. Teams are operating in "total darkness with a company culture that might not take them seriously," Mjels said:
"You can have breaches left, right, and center, as employees don’t understand the severity of those breaches because it is not being made clear in the mandatory education they have to listen to for a few hours every year.”
—Morten Mjels
Lack of upper management support can also contribute to helpless feelings, said James McQuiggan, a security awareness advocate at KnowBe4.
"Upper management has a larger risk appetite than security professionals. Cybersecurity professionals want to mitigate all of the risks, but a CIO, CEO, or even a board of directors provides the budgets."
—James McQuiggan
When management doesn't find mitigating cyber-risk a high priority for funding and the business side views cybersecurity as the Department of No, "it gets lonely in the middle," McQuiggan said.
Melody (MJ) Kaufmann, an author and instructor with O'Reilly Media, said much of this relates to the gap between the security team's responsibility to prevent data breaches and the organization's mandate to do it without enough funding and organizational buy-in to make it happen.
“This places us in an impossible no-win situation where the attackers will eventually get through.”
—MJ Kaufmann
Martin Jartelius, CISO of threat exposure management company Outpost24, said that data breaches are inevitable, so when success is judged solely on whether any occur, failure is inevitable as well.
"If you want to find out if you will be able to handle it when it does happen, bring in a decent red team to ensure you have detective and responsive capabilities and not just preventive ones."
—Martin Jartelius
Working blind is the norm for security teams
The Green Raven report also found that two-thirds of the surveyed cybersecurity pros feel that they are working blind because they can’t pinpoint where the next attack will come from, and a similar number said their current tools and methods for thwarting attacks are not up to the job.
Kaufmann explained that for many organizations, data and operational silos leave systems and tools unable to correlate data to gain actionable insights into attacks. “This makes it virtually impossible to pinpoint how the last attack started or determine where the next will begin,” she said.
Green Raven's Mjels wrote:
“The majority of cyber budgets have always and are still being spent on reactive defense and companies are still not considering more proactive methods such as cyber intelligence."
A lack of knowledge — coupled with a growing number of cyberthreats — can also contribute to the feeling of working blind, KnowBe4's McQuiggan said.
“When an organization is limited in its ability to collect threat intelligence, it forces cybersecurity professionals to protect the organization in a broad sense, stretching everything to the limits versus being able to focus on the key items. Organizations today have an environment of continuous uncertainty, which leads to increased stress and potential burnout of their cybersecurity professionals and leadership teams."
—James McQuiggan
CISOs are in the hot seat
The gaps — both between risk and the organization's stomach for it and between the available tools and methods and the growing threats — make the CISO role unsustainable at many organizations, said George Jones, CISO at the cybersecurity firm Critical Start.
“The demand and scrutiny of the CISO role is pushing many to shorter tenures, with burnout and high-stakes accountability playing major roles."
—George Jones
However, he noted, organizations are investing in robust mental health and wellness programs and in continuous professional development, and they are offering more paths to lateral roles to retain talented leaders. “Limiting the scope of CISO responsibilities can create a manageable workload and clear boundaries around accountability, helping CISOs maintain a longer-term commitment without facing untenable risks,” he added.
AI to the rescue?
While many of the cybersecurity pros surveyed seemed gloomy about their circumstances, some see one bright spot on the horizon: nearly eight out of 10 them said AI-powered tools will be the key to regaining control of the threat landscape.
Green Raven's Mjels wrote:
“AI will have a massive impact and, used correctly, can help with several bottlenecks. AI has the uncanny ability to analyze large sets of data that can help establish patterns that can benefit defenders."
However, AI presents a double-edged sword, one that can be equally wielded by threat actors, Mjels wrote:
"The issue is that those same patterns can be used by malicious adversaries and help them identify weaknesses quicker.”
With it empowering both sides, the problem is threat actors have adopted AI faster, leading to a gap. “The pitfall is AI is creating a lot of innovative solutions, but the market is taking a lot longer to adapt them, which gives cybercriminals an edge, as there is quite an uptake in them utilizing AI to their advantage,” Mjels said.
“There is no single thing that will be the saviour of cybersecurity. AI will help and keep us in the race because our adversaries are using it.”
—Morten Mjels
Mjels said the real power lies in the industry's collaboration. “If the industry works together to help educate companies about ideal practices in much greater detail, it could shift the tide so the total cost of cyber-criminality might finally decrease year on year.”
