CRD #13

On raising incident severities, budgets, perceptions on GenAI, factors influencing job satisfaction, and productivity vs security.

Henry Rõigas

10 Dec 2024 — 6 min read

Photo by David Becker / Unsplash

The Cybersecurity Research Digest cuts through the marketing fluff and bias to bring you relevant and objective insights on cybersecurity stats and trends, all backed by empirical data.

The post features highlights from trustworthy research sources released between 26 November and 9 December 2024, followed by a list of all monitored reports.

Raising severities: UK data shows surge in significant incidents

The UK's National Cyber Security Centre (NCSC-UK) Annual Review offers unique data indicators to understand year-over-year trends in the frequency and severity of cyber incidents.

While the number of tips shared with the agency remained on a similar level, incidents classified as significant saw a sharp increase of approximately 32%, rising from 62 in 2023 to 89 in 2024. This aligns with data from other national cyber agencies, such as Canada, showing that while the overall number of incidents may have stayed the same or even decreased, their severity has notably risen.

Security spending: budget growth, staff ratios, neglected training

A global survey of nearly 2,000 decision-makers and security specialists shows that organizations allocate an average of 12.5% of their total IT budgets to security, with a projected 9% increase over the next two years. This spending trend remains consistent across organizations of varying sizes, with only slight differences observed.

The study, however, highlights notable differences in how companies resource security based on size. Larger enterprises deploy more tools, averaging 15 solutions, but maintain a lower ratio of security staff to overall IT staff (21.9%). In contrast, SMEs (500–5,000 employees) and SMBs (fewer than 500 employees) use fewer tools (12 and 9, respectively) but employ a higher proportion of security staff (31% and 33.3%). This provides evidence that the more advanced (and often more costly) solutions promising greater automation, which are affordable for larger enterprises, may indeed reduce the need for security personnel.

In terms of solutions deployed, almost all organizations reported to have some kind of endpoint, network, and cloud security controls in place. However, the report highlights a critical gap: only 53% of respondents reported conducting security training. This observation is significant, given that social engineering and human error more broadly remain as top "vulnerabilities".

Phishing leads GenAI risk perceptions, but optimism prevails

Another survey of over 700 IT and security professionals indicates a strong sense of optimism about GenAI, with respondents being 8x more likely to view the technology as a net positive rather than a net negative for security.

2024 Gen AI Cybersecurity report (Ivanti)

However, the optimism does not overshadow the threats posed by GenAI. In that study, phishing was identified as the top threat vector expected to benefit most from GenAI advancements. This is likely due to the capability to automate and personalize large-scale social engineering attacks through LLM-based techniques.

The study also highlights a dual perspective on GenAI’s role in addressing the cybersecurity talent gap. While professionals recognize its potential to bridge workforce shortages, they are 6x more likely to believe AI tools will primarily benefit employers rather than employees. The observation shows that security professionals are no exception in sharing the widespread societal concerns about AI’s potential to affect job security and redefine professional roles over time.

Job satisfaction depends on communication with and buy in from leadership

A survey of cybersecurity professionals offers a counterpoint to the largely negative discourse surrounding workforce dissatisfaction. Of the 369 respondents, 76% reported being very or somewhat satisfied with their current roles, while 13% felt neutral, and only 10% expressed dissatisfaction (somewhat or very).

However, satisfaction doesn’t negate the stresses of the job. Unsurprisingly, key stressors included overwhelming workloads, disengaged managers, security being overlooked in project planning, and the constant need to manage emergencies.

Conversely, the most significant factor driving job satisfaction was identified as the leadership team’s commitment to security, followed by financial compensation and sufficient organizational investment in security initiatives.

The Life and Times of Cybersecurity Professionals (ESG)

Communication and leadership skills were overwhelmingly viewed as the most critical qualities for a successful CISO, while technical skills — perhaps surprisingly — were considered only marginally important. Moreover, CISOs perceived as "very effective" or "effective" were linked with those who consistently engage with executive management and the board of directors, highlighting the importance of strategic alignment at the leadership level.

Employees naturally prioritize productivity, not security

A global survey of over 14,000 employees from the USA, France, Germany, Australia, and Singapore revealed widespread disregard for or unawareness of security best practices and policies. For instance, 60% of respondents reported using personal devices to access work-related apps, emails, or systems in the past year. Additionally, 49% admitted reusing login credentials across multiple work-related applications, and 36% used the same credentials for both personal and workplace accounts.

Employees consistently prioritize productivity over cumbersome security protocols and best practices, underscoring the importance of treating ease of use and seamless integration as essential criteria when selecting and deploying new security solutions.

Reports monitored: 25 November - 9 December 2024

To take a deeper dive in the topics most relevant for you, we've listed all the monitored research reports (26) that were published during the observed period.

Title	Organisation(s)	Topic(s)
Cyber attacks have cost UK businesses £44bn in the last five years, according to Howden	Howden	insurance claims / UK
2024: AI and City/Countil Government Survey Results	Public Technology Institute	AI general
Data Breach Trends Report 2024	NordPass	data breach trends
The SME Mobile Threat Report	CyberSmart	SME / mobile
IT Security Economics	Kaspersky	budgets
IT threat evolution in Q3 2024. Non-mobile statistics	Kaspersky	threat intel
APT trends report Q3 2024	Kaspersky	threat intel
Understanding Threat Actor Readiness for the Upcoming Holiday Season	FortiGuard Labs	threat intel
Pulse of Change	Accenture	leader perceptions
Cybersecurity as an Imperative for Growth	Vodacom Business	South Africa / general
Maturity of Software Supply Chain Security Practices 2024	RedHat	software supply chain
Cyber Roundup Report 2024	Cowbell	SMEs / insurance
The Unexpected Impact of Identity Security on Shopping Habits	HYPR	consumer / ecommerce
Handy Recovery Advisor’s 2024 Survey	Handy Recovery Advisor	consumer / data recovery / data backup
2024 State of External Exposure Management Report	CyCognito	exposure
The State of Scams in the United Arab Emirates – 2024 report	The Global Anti-Scam Alliance (GASA) and BioCatch	fraud / UAE / consumers
Use and Security of GenAI in Software Development	Legit Security	GenAI / software development
Gen AI and Cybersecurity: Risk and Reward	Ivanti	GenAI / perceptions
2nd December – Threat Intelligence Report	Check Point Research	threat intel
The Life and Times of Cybersecurity Professionals Volume VII	Enterprise Strategy Group (ESG)	workforce / HR
Security questionnaires report: the impact of automation	Vanta	automation
Q3 2024 KnowBe4 Phishing Report	KnowBe4	phishing
NCSC Annual Review 2024	NCSC UK	UK / threat intel / general
CyberArk 2024 Employee Risk Survey	CyberArk	employee risk
Cybercrime Supply Chain 2024: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them	Interisle Consulting Group	cybercrime / domains
Cybersecurity Report 2025	Hortnet Security	email
Gender Dimensions of the Australian Cyber Security Sector	RMIT University	gender / HR
India Cyber Threat Report 2025	Data Security Council of India / Seqrite Labs'	India / threat intel
Cloud, Complexity, AI: The Triple Threat Demanding New Cyber Resilience Strategies<	NetApp	general
ThreatLabz 2024 Encrypted Attacks Report	Zscaler	zero trust / encrypted attacks
Artificial Intelligence and Machine Learning in Cybersecurity Survey	DarkReading	AI / cybersecurity
CNET Cybersecurity Survey 2024	CNET w/ YouGov Plc	US consumers
2024 Report on the State of the Cybersecurity in the Union	ENISA	EU / NIS2
The dark side of cybersecurity: The impact on cybersecurity professionals of working blindfolded in an increasingly hostile environment	green raven w/ Censuswide	cybersecurity workforce / UK
2025 Forecast for Managing Private Content Exposure Risk	Kiteworks	secure data exchange
The State of Cyber Resilience: Why IT and security leaders are bolstering cyber resilience as complexity increases	Axonius	general / leader perceptions
Census III of Free and Open Source Software	Linux Foundation	open source

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.

✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)