"We have viewed cybercrime rightly or wrongly from the perspective of it being an external attack, so we attempt to throw a security blanket over the perimeter if you will," Durbin says. "There is a threat within. That takes us to a very uncomfortable place from an organizational standpoint."
The fact of the matter is that organizations won't be able to come to grips with cybercriminals unless they adopt a more forward-looking approach.
"A few weeks ago, I was speaking to a CISO of a major company with nine years on the job," Durbin says. "He told me that with big data analytics, he now has almost complete visibility across the entire organization. After nine years. The cybercriminals have had that capability for ages. Our approach is continually reactive as opposed to proactive."
"Cybercriminals don't work that way — based on history," he adds. "They're always trying to come up with a new way. I think we're still not that great at playing a defensive game. We need to really raise it to the same level. We're never going to be as imaginative. There's still this view inside the company that we haven't been broken into already, why are we spending all this money?"
5. Skills gap becomes an abyss for information security
The information security professionals are maturing just as the increasing sophistication of cyber-attack capabilities demand more increasingly scarce information security professionals. While cybercriminals and hacktivists are increasing in numbers and deepening their skillsets, the "good guys" are struggling to keep pace, Durbin says. CISOs need to build sustainable recruiting practices and develop and retain existing talent to improve their organization's cyber resilience.
The problem is going to grow worse in 2016 as hyper connectivity increases, Durbin says. CISOs will have to become more aggressive about getting the skill sets the organization needs.
"In 2016, I think we're going to become very much more aware that perhaps we don't have the right people in our security departments," he says. "We know that we've got some good technical guys who can fix firewalls and that sort of thing. But the right sort of people can make the case for cybersecurity being linked to business challenges and business developments. That's going to be a significant weakness. Boards are coming to the realization that cyber is the way they do business. We still don't have the joined up linkage between the business and the security practice."
In some cases, it's going to become apparent that organizations simply don't have the right CISO in place. Other organizations will have to ask themselves if security itself is sitting in the right place within the organization.
Sign up for CIO Asia eNewsletters.