Three recent studies demonstrate that organizational and IT department leadership sit squarely at odds with several important challenges to improving IT-related risk postures:

• Predictions that organizations do not plan to increase the level on hand security expertise;
• A well-documented and looming shortage of cybersecurity and IT professionals; and
• Just 18% of employers reported willingness to invest in IT training to help protect against cyber attacks this year. ((The annual report on IT budgets and tech trends. Spiceworks. 2016; Occupational Outlook Handbook, 2016-17 Edition: Information Security Analysts. Bureau of Labor Statistics, U.S. Department of Labor. 2016; U.S. Federal Cybersecurity Market Forecast 2017-2022, Tabular Analysis. Market Research Media, Ltd. June 2016.))

ISACA and RSA Conference conducted a study that looked at mid-to-large sized organizations across North America, Europe Middle East and Africa (EMEA), Asia, Latin America and Oceania in a wide range of industry verticals. They report:

• 74% of respondents expect to experience a cyber attack in 2016;
• 30% of organizations that experienced phishing attacks (60% of the total respondent base) report such attacks happen on a daily basis;
• For organizations with high staff turnover, IT-related security issues are particularly troublesome;
• Nearly 65% of all entry-level cybersecurity applicants lacked the requisite skills for that position; and
• On-the-job training was the most widely applied means of addressing this issue (65% of organizations). ((State of Cybersecurity: Implications for 2016. ISACA and RSA Conference Survey. 2016.))

IT market research of mid-to-small sized company IT professionals in international venues (EMEA 41% and US 59%) examined security practices and included inquiry into whether organizations have a third party cybersecurity expert either an in-house or on call. The results demonstrate that organization leaders are not effectively prioritizing information security:

• 80% of respondents reported at least one security incident last year;
• Just 29% of respondents reported having a cybersecurity expert in their IT department;
• A mere 7% have a cybersecurity expert on their executive team;
• A stunning 55% reported having no regular access to any IT security experts, either internal or third party; and
• Of those that reported having IT professionals, 67% of those professionals say they have no security certifications. ((Cybersecurity skills gap? Most organizations lack IT security experts. Spiceworks. June 29, 2016.))

And finally, a 2016 Cisco report uniquely notes that executive managers’ confidence levels fell (from 64% in 2014 to 59% in 2015) when describing how up-to-date their security infrastructure was. And, while 97% of companies stated they deliver security training at least once a year, 43% of respondents waited until after a public breach to step up their security training. ((Mitigating the Cybersecurity Skills Shortage. Cisco Security Advisory Services. 2015.))

The disconnect that these studies indicate, wherein third party risk management (TPRM) programs are not executed in a holistic, proactive manner, creates a lack of cohesion and puts organizations at acute risk. “As the rate of incidents continues to escalate, the magnitude of related brand, reputation, and fiscal impact is driving organizations to address cybersecurity risk. ((State of Cybersecurity: Implications for 2016. ISACA and RSA Conference Survey. 2016)) These trends evidence that strong leadership will be required to address these issues. Without such commitment from leaders across the Board of Directors, through C-Suite and into executive management, businesses will face serious repercussions at all levels, including reputation and revenue.

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.