Businesses recognise security as a growing imperative, but many remain on the defensive, fighting cyber threats with dated tactics and training, according to new report released by CompTIA.

The Evolution of Security Skills survey calls on companies to adopt proactive measures to identify weak links before they are exploited; broaden the security skills of their technology professionals; and implement top to bottom security training throughout the organisation.

>See also: Demand for cyber security skills increasing

“Building an impenetrable defense is no longer practical and the mentality of preventing all breaches is outdated,” said Seth Robinson, senior director, technology analysis, CompTIA.  “But a new, proactive approach combining technologies, procedures and education can help find problem areas before attackers discover them.”

One of the challenges for organisations is that they tend to place the greatest emphasis on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyber attacks, typically get the most attention.

“While we certainly need to remain vigilant about these threats, many other forms of attack have emerged that can carry disastrous consequences,” Robinson said.

The majority of companies in the CompTIA study expressed only mild concern that they would be the target of ransomware, a dedicated denial of service, social engineering, Internet of Things-based attacks, or SQL injections.

>See also: Britain’s cyber security gap…it’s bad

“While many companies have moved in the direction of cloud computing, mobile devices and other new technologies, it’s clear that a large number have failed to fully consider the corresponding security implications,” Robinson noted. “Gaining an appreciation and understanding of the many threats in play today is the first step in threat management.”

Companies are gradually shifting their focus from defense to offence. In CompTIA’s survey of business and technology executives at 350 U.S. companies, 29% of firms said they are highly proactive in their security posture, emphasising detection and response.

Another 34% said they balance a strong cyber defense with some proactive measures. “Strong defence will always play a role, but this must be coupled with external audits, penetration testing and other proactive measures,” Robinson advised.

The human factor

Training (60% of companies surveyed) and certification (48%) are generally the favoured methods of building advanced security expertise for their technology professionals.

>See also: Why businesses must make cyber security skills a priority in 2017

Organisations that follow through on certifications after training find that they provide a higher degree of credibility, better proof of knowledge and improved candidacy for open positions.

Companies are also more understanding of the need to develop a security-aware culture, from the executive team through middle managers to the general staff. The survey found that 58% of companies offer security training during new employee orientation; 46% perform random audits; and 35% offer “live fire” hands-on labs.

Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!