A global survey of 1,850 IT and cybersecurity decision-makers finds more than half (51%) reporting that directors or executives have faced fines, jail time, loss of position, or loss of employment following a cyberattack.

Conducted by Sapio Research on behalf of Fortinet, the survey also finds more than 50% of respondents admitting breaches cost their organizations more than $1 million in lost revenue, fines and other expenses last year. Just under a third (63%) also noted it took longer than a month to recover from a cyberattack.

As a result, nearly all respondents (97%) report their board sees cybersecurity as a business priority, with just under three quarters (72%) noting their board of directors was more focused on security in 2023 than the previous year.

However, the survey makes it clear a chronic lack of skills continues to hamper cybersecurity efforts. In the past year, nearly 87% of respondents said they experienced a breach that they can partially attribute to a lack of cyber skills, with 70% indicating that the cybersecurity skills shortage creates additional risks for their organizations.

A full 89% said to close that gap their organization would pay for an employee to obtain a cybersecurity certification to ensure that had the right skills. A full 90% also noted their organization prefers hiring candidates with certifications, but 72% said it is difficult to find candidates with technology-focused certifications.

At the same time, however, 71% said their organization still requires four-year degrees, and 66% hire only candidates with traditional training backgrounds. Not surprisingly, 62% of respondents also said the greatest challenge is finding candidates with specific experience in network engineering and security.

On the plus side, 83% noted their organizations have set diversity hiring goals for the next few years to help increase the pool of IT talent they can recruit from, the survey found.

Cybersecurity Aware Culture

Rob Rashotte, vice president of the Fortinet Training Institute, said it’s clear more organizations are focused on building a culture that is cybersecurity aware as losses continue to mount. After all, people are always going to be the first line of defense, he added.

The biggest issue organizations often have is not necessarily the underlying technology as much as it is having clear lines of communication between senior executives, IT teams and security professionals, said Rashotte.

Additionally, as organizations continue to invest in automation and artificial intelligence (AI) it’s important to reevaluate what, for example, entry-level skills might be required tomorrow versus today, he noted. It’s not likely AI will eliminate the need for cybersecurity expertise but roles within organizations will evolve, said Rashotte.

At the same time, many security operations tasks are also increasingly being assumed by, for example, network operations teams to help compensate for the chronic shortage of cybersecurity skills, he noted.

Cyberattacks, of course, are inevitable. The challenge is being able to respond adroitly to either thwart them or, at the very least, contain the amount of damage inflicted. Hopefully, with the rise of AI that goal in a way that doesn’t burn cybersecurity teams out will become a lot easier to achieve.