This opinion article was written by our CEO Jorge Monteiro, originally published on Dinheiro Vivo, and has been freely translated from European Portuguese.
Cybersecurity is a political and operational priority for the European Union. This statement was made a few days ago by the European Commissioner for Budget and Administration, Johannes Hahn, who added: "More co-operation, certainty and efficiency will create a climate of collaboration and trust where people, data and networks can operate and interact safely."
Mr. Hahn spoke about the political agreement between the EU Parliament and the Council on the Commission's proposed Regulation establishing measures for a high standard level of cybersecurity across the Union's institutions, bodies, offices, and agencies. The negotiations have now been finalized and the door is open for the final adoption of the legal text by the European Parliament and the Council.
Unfortunately, despite the good news about the path that is being charted, it should have started much earlier and we must not confuse prioritization with problem-solving. In order to "operate and interact safely", in institutions as in companies, there is still a lot to do.
This is borne out, in the Portuguese case, by the data in the report "Cybersecurity in Portugal - Risks and Conflicts" issued in June, in partnership, with the National Cybersecurity Centre and the Cybersecurity Observatory. In our country, the perception of risk increased in 2002 and 2023, the threat picture revealed an increasing professionalization of cybercrime and the strengthening of threats, the most common being "ransomware, cybersabotage or DDoS attacks, which overload servers and make web resources unavailable, phishing/smishing/vishing, online scamming and account compromise/attempted login".
Among the victims, there is everything in practically all sectors: Banking, Education and Science, Technology and Higher Education, Transport, Health, and Media. In Public Administration, the Local Administration subsector is increasingly being attacked.
It is therefore not surprising that in Portugal, as abroad, there is increasing talk of the still hidden reality of "vulnerability burnout", which results from the excessive noise and false positives generated by most scanners, or "cybersecurity burnout", which results from the fact that professionals are increasingly pressurized by the number of attacks verified, suffering from a lack of recognition when things go well and being pointed out as the maximum responsible when they go wrong, there are few and they work more and more.
In addition, they suffer under the weight of excessive bureaucracy, with every decision having to go through excessive layers of approval within institutions and companies.
In other words, these are real problems that do not contribute to the balance and mental health of cybersecurity professionals.
That's what a lengthy article published in May by the Wall Street Journal is all about. In "Cybersecurity Leaders Suffer Burnout as Pressures of the Job Intensify", journalist Catherine Stupp collects several testimonies on how "relentless cyberattacks and the pressure to fix security flaws despite budget constraints are raising enterprise professionals' stress levels and their worries" about the legal liability they may face. According to the article, 3 out of 4 CISOs in the US suffer from burnout, putting them on the brink of resignation.
As a result of experience, we have noticed that one of the ways found to reduce this internal pressure on CISOs is outsourcing. In fact, demand for this solution has been growing, particularly in terms of continuous offensive security testing, which allows vulnerabilities to be identified in real-time, with 99% accuracy. This solution allows companies to optimize the human, technical and financial resources involved in cybersecurity policy, as it is more efficient than current prevention methods and because typical market scanners report many false positives and unnecessary alerts.
If we think that on average it takes 30 to 60 minutes for a technician to validate a vulnerability and that large organizations can have hundreds of vulnerabilities to validate and fix per day, we realize the enormous importance of accuracy.
On the other hand, we know that vulnerability exploitation is one of the biggest causes of the increase in cybercrime. Criminals automatically and actively seek out and exploit every door that is left open by organizations on the internet. It turns out that most companies are unaware of what's going on in around 30 percent of their digital footprint. Add to this the fact that more than 70 new vulnerabilities are identified every day ("Common Vulnerability Exposure") and that cyber-attacks are increasing very significantly, the need for companies to be proactive in identifying their vulnerabilities and to do so 24 hours a day, 365 days a year becomes clear.
But more importantly, it becomes crucial to validate and prioritize vulnerabilities according to the actual risk they pose to organizations, so that security teams can focus on mitigating high risks quickly.
Identifying a problem is more than halfway to solving it.
And teamwork, with external partners, is the only way national companies can make up for their lack of resources in the face of the scale of the threat we face. All of us will not be too much. And only then will the words of Commissioner Hahn become a reality.