NVTC has published the first infographic in its new research series. In this cybersecurity-focused piece, we’ll take a look at the data behind the compelling numbers in the infographic.
The Cybersecurity Workforce Capacity Gap
Federal CIO Tony Scott estimates there are currently 10,000 unfilled cybersecurity positions in the federal government alone. Fifty-five percent of NVTC members responding to a recent survey indicated they are attempting to hire cybersecurity specialists this year. This capacity gap also exists in the commercial sector as well. At a fireside chat on May 26, 2016, Virginia Governor Terry McAuliffe indicated that of the 31,000 Virginia IT openings, 17,000 are in the cybersecurity sector. While Greater Washington is likely the cybersecurity workforce capital of the world, we still face a critical shortage of qualified professionals.
The Department of Defense is attempting to upskill 6,200 cyber professionals from active military and 2,000 from the National Guard and reserve units by 2018 and offered up to $50,000 in retention signing bonuses to current military cybersecurity professionals. Further, OPM authorized the U.S. Cyber Command in 2015 to hire up to 3,000 civilian cybersecurity professionals at the highest federal pay grade outside of senior management positions.
Cybersecurity Incidents and Threat Vector Area Increasing
When we take a look at cybersecurity incidents, we find that simple employee mistakes make up a large percentage of our current risk. The March 18, 2016 Federal Information Security Modernization Act (FISMA) report to Congress cited 77,183 information security incidents over the course of Fiscal Year 2015, which represents a 10 percent increase from FY 2014. Of those incidents, 13 percent were lost, stolen or confiscated equipment; 15 percent were driven by government employee error such as internal policy violations and improper usage; 16 percent were not related to IT, such as the loss of paper records. Strikingly, only 56 percent of all incidents represented an external cybersecurity threat.
Fifty-three percent of IT decision-makers in a SolarWinds and Market Connections survey reported that unwitting insider threats – human error – is the most serious cybersecurity threat. OPM Security Operations Manager Jeff Wagner said “I will have a job until the end of time simply because I have users” at a February 2016 cybersecurity conference in Washington, D.C.
The threat vector area continues to increase as well. In a Crowd Research Partners online survey of 882 IT professionals from across the world, 20 percent suffered a security breach associated with a mobile device, 24 percent indicated that an organizational mobile device connected to a malicious server while roaming and an alarming 39 percent of those devices downloaded malware.
According to Craig Williams of Cisco’s Talos Research, an internet scan by Talos revealed approximately 2.1 million systems vulnerable to the JBoss exploit used in common ransomware attacks. And other JMX-based exploits that have been known for more than a year are waiting in the wings to strike systems based on JBoss as well as related systems such as WebLogic, WebSphere, the open source Jenkins automation server and the OpenNMS network management platform. These are cases where simply updating those systems would patch the vulnerability.
Cost of Data Breaches and Intrusions Rising
The Ponemon Institute’s 2015 Cost of Breach Study: United States indicates the average cost of a data breach rose 11 percent year-over-year, to $6.53 million, with an average cost of $217.00 for each lost or stolen record.
In an official statement on the March 2016 MedStar Health hack, an FBI official disclosed that the reported loss from ransomware attacks in 2015 was $24 million. In its 2014 annual report, the FBI’s Internet Crime Complaint Center (IC3) indicated there were 269,422 complaints filed with reported losses totaling over $800 million. IC3 reports 7,694 ransomware complaints with $57.6 million in losses since 2005.
Cybersecurity Spending and Venture Capital Funding on the Rise
The U.S. government spends more than twice as much annually on cybersecurity than the combined public and private sectors of any other nation. The administration’s 2016 budget allocated $14 billion in cybersecurity spending while the 2017 budget submission calls for over $19 billion.
The 2015-2020 federal cybersecurity market is valued at $65.5 billion. Vendor-provided cybersecurity products and services are estimated to grow from $8.6 billion in FY 2015 to $11 billion in 2020 at a compound annual growth rate of 5.2 percent.
2015 venture capital funding in the Greater Washington region reached $647.85 million for organizations with cybersecurity products or services, representing 45.78 percent of the $1.415 billion in total 2015 venture funding in Greater Washington.
While cybersecurity threats and breaches can be devastating, they are also galvanizing for the technology community. Now, more than ever, there is an opportunity for NVTC members to come together and deepen their commitment and influence in driving innovation and workforce development in cybersecurity. NVTC is here to provide its members with the latest cybersecurity developments through research, communications publications, webinars, conferences and advocacy efforts. Stay tuned for NVTC’s upcoming cutting-edge research series that will feature infographics, white papers and reports.