noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Applovin Corporation

What is Customer Lifetime Value (LTV) in Mobile App User Acquisition
Darling Ingredients Inc.

Third quarter 2024 financial results
University of Montana Western

EARN YOUR ELEMENTARY EDUCATION DEGREE FULLY ONLINE WITH UMW’S PROJECT REAL

Politics and Policy

compTIA - Computing Technology Industry Association Inc.

10/18/2024 | News release | Distributed by Public on 10/18/2024 08:22

Cybersecurity’s maturity: CompTIA’s State of Cybersecurity 2025 report

If April is the cruelest month, then October is absolutely the most intriguing. Why? Because it's when we share the CompTIA State of Cybersecurity 2025 report, not only as a way to welcome Cybersecurity Awareness Month, but to highlight the latest measures, trends, and data regarding the industry.

Let's take a look at some of the more nuanced and intriguing findings the report has to offer. While it's undisputed that there's still so much progress that needs to happen in the field, there is some real evidence that the cybersecurity industry is continuing to grow and evolve in the right direction.

The rise of multiple security architectures

The phrases "security architecture" and even "zero trust architecture" have been bandied about for years. But, rarely have I ever seen a report discussing the need to use multiple architectures to implement, at the minimum, adequate cybersecurity measures.

Presumably, the cybersecurity industry's goal is to reduce the attack surface, and therefore lower the cost and rate of cybersecurity incidents and data breaches while bolstering overall data security. To bring this about, the cybersecurity industry has created dozens (if not hundreds) of initiatives, directives, cybersecurity frameworks and methodologies and lifecycles. Yet, this is the first time I've seen a report discuss the need to modularize cybersecurity into multiple architectures.

I think that addressing business logic first - which includes executive buy-in to budgeting - is a brilliant move. It reflects a certain maturity in the cybersecurity industry. Cybersecurity- a notion that once seemed confined to tech departments within organizations, is getting the recognition it deserves among the people at the helm of business operations. This executive buy-in ensures that best practices for safeguarding systems extend beyond just the tech department and influences the behaviors of individuals in all parts of an organization.

As much as I love to discuss application workflows, data architectures, and the fun, greasy techie stuff, it's a truly useful step to put "business architecture" first. That does mean this report is aimed solely at enterprises or MSPs or for-profit organizations: It states that once you get your business process ducks in a row, you're off to a great start. If cybersecurity involves successful iteration, then it's vital that you have a clear-cut set of policies to establish a clear path forward.

Addressing disconnects: A new look at "gaps"

Notice that the report eschews the phrase "skills gap." Instead, it addresses multiple gaps that effectively become silent but powerful barriers that sap an organization's will to implement cybersecurity. Some of the gaps - which the report calls disconnects, are discussed in the table below.

Cybersecurity gap	Description
Value	A disconnect between planned investments in technology and business process changes and perceived actual results.
Methodology	Slow adoption of proven cybersecurity strategic approaches, including incident response, governance, and data defense.
Budget	There is a chronic discrepancy between what leaders say about cybersecurity being a priority, and the money they subsequently (don't) pony up. In a recent webinar I gave, a CISO wrote in a comment that read, "There's never any budget until after an attack happens."
Process	The report does a fantastic job of showing the importance of each architecture necessary to cybersecurity (business, application, data, and technology.

The overall result is a cybersecurity confidence gap. Here's hoping that organizations see how looking into each of these gaps can help them improve their processes and make meaningful progress.

Notice that the table doesn't list a "skills gap." I don't list it, because similar to the letters, "AI," it is a phrase that is increasingly shopworn. Furthermore, the phrase doesn't capture the nuances as found in the report. The report discusses how specialized skills are important. Specific skills that are increasingly important include:

Network monitoring and security

Security analytics

Governance

Risk management and analysis

Cloud security

Operational Technology

Moving the needle

The report then includes a list of ways that organizations are improving the use of cybersecurity technologies and processes. As you would expect, it primarily focuses on executive buy-in, but, it doesn't stop there: The report then discusses the need for IT and cybersecurity workers to better visualize the impact of the tools they use. This also highlights the importance of having skilled cybersecurity professionals who can execute these needs.

In other words, it's important to better articulate the value that specific initiatives bring to the organization. Once again, it appears that the cybersecurity industry is making some progress at demonstrating its business value.

Are we getting past peak AI hype?

So much surface level documentation about artificial intelligence (AI) and its implications on cybersecurity has come about. It's refreshing to see that the report investigates the hype surrounding AI. For example, the report states that only 7% of firms state that they have fully implemented AI in their operations. The report also reveals another tell-tale sign of AI hype: For now, AI is increasing, and not decreasing, cybersecurity complexity, mainly because organizations are still trying to figure out exactly where to use it.

In fact, the report states that 47% of the respondents feel that they're still trying to figure out what the emergence of generative AI really means; I think that's remarkable: It demonstrates honesty and curiosity: Two elements that are extremely valuable, yet not often discussed in the cybersecurity industry.

So, the jury is still out on AI, though one point is clear. AI-enabled cybersecurity use cases seem to favor content-based approaches. The graphic below that shows AI-enabled cybersecurity measures suggests that AI has the ability to monitor network traffic content, do threat modeling, and predictive analytics.

AI remains the most compelling poster child for automation. It's revealing that cybersecurity workers and leaders continue to suggest that they are just starting a meaningful journey into the practical use of AI.

Curious and want to dive deeper? I highly recommend that you check out the report. It provides quite a snapshot of an industry that, while it sometimes fails to make as much progress as it should, seems to be getting increasingly serious about solving long-standing problems. Read the CompTIA State of Cybersecurity 2025 report

Blog contribution by Dr. James Stanger, CompTIA Chief Technology Evangelist

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format