Although some organizations have splintered cybersecurity from IT for structural purposes, typically IT teams shoulder the responsibility for security. This means IT professionals are the people who enforce the policies and run the tools to protect their organizations’ data.

But even though IT teams are the de facto security team in most places, do they have all the access to tools and technology they need? Not necessarily, according to recently completed (ISC)² research.

The research suggests most organizations do not provide adequate resources for training and development, or enough people, to run security. Even worse, (ISC)²’s 2017 Global Information Security Workforce Study (GISWS) reveals the ability to defend against cyber attacks has declined over the past year.

These are unsettling findings in the wake of the massive WannaCry and Petya ransomware infections, which spread fast and wide, and the recent Equifax breach, which potentially affected 143 million Americans.

Expertise Deficit

Nearly half (43%) of IT professionals who participated in the GISWS said their employees do not provide sufficient training and professional development from their employers.

Furthermore, only one-third of respondents (34%) said their employers pay for training, while 29% share the cost. Another 34% of study participants pay for all of their own security education. The study also found 55% of employers don’t require IT staff to have security certifications.

But the problem goes beyond the amount of education IT workers get. There is also an issue with inadequate staffing; 63% of study participants said their employers don’t hire enough cybersecurity workers.

Adding insult to injury, IT workers in charge of security lack clout with management. Their views on how to protect their organizations often are ignored, with 28% of participants saying they are asked for advice but it goes unheeded. Only 35% said their security recommendations are followed.

Taken together, these findings paint a picture of organizations that either are underestimating the seriousness of a growing threat landscape, or have made a calculation that they can survive the threat even with insufficient resources. The problem with either approach is it would take a breach to make them see the error of their ways.

Casual Approach

Considering the lack of focus on IT expertise development, it should come as no surprise that some organizations also are short-changing themselves when it comes to investing in security technology. More than half (51%) of study participants said their systems are less able than a year ago to respond to a cyber attack. Only 11% said their organization can discover a breach immediately.

This shows that for a lot of organizations, security is both a human resources and technology problem. Neither is getting enough attention. And the end result is a lackadaisical approach to security at time when attacks grow in frequency and magnitude. Organizations that continue to take a casual approach to security are putting themselves, their partners and customers at risk.