Rather, security requires attention and awareness from the entire employee base. CSOs need to communicate with peers, to influence them and incorporate best practices in data handling, system access, and engagement with third parties.
"These people need good communication skills because security is a community activity," said Suby.
Peeler added that the top commodity in the industry is security analysts. Analysts, she maintained, are important because they are able to take information, cull it down, and communicate it to the rest of the company in a way that makes sense.
"It's not just about tech stuff. It's more about understanding how the pieces work together in a way that's best for the organization," said Peeler.
Unfortunately, even if they do find the ideal candidate, organizations often find that they can't hire more security personnel, which is yet another contributing factor to the paradoxical challenges faced by CSOs: locating and hiring skilled and experienced InfoSec personnel is difficult.
According to the report, while the education system has contributed to students' ability to leverage new information technology; such as systems, devices, and applications — the focus on security has been limited.
As such, it falls on employers to build a more security-conscious workforce, and they often cannot afford to do so. The report showed that 61 percent of respondents cited "business conditions" as the number one restraint in hiring additional security personnel for their organization.
Companies have business priorities, said Suby, and only an X amount of money. Oftentimes that means that means that hiring more security personnel — even if the company would like to — gets the boot in favor of spending the money on other company priorities.
"There are business versus risk management decisions to be made. I could hire more security personnel, or I could spend the same money on another marketing plan," said Suby.
A moving target
Meanwhile, another paradoxical concern that the study exposed is that with attackers continuously evolving and becoming smarter, the largest looming threat to a company is always that which it does not know or cannot detect. Suby maintained that a major part of these threats is the manipulation of human nature and offered up the use of DDoS attacks as an example.
"[DDoS attacks] are advancing in not just what, but how they do it," said Suby.
"What's changing is that perpetrators understand that their victims can't cover all their bases all the time. So DDoS attacks can be used to divert attention from other defenses."
This way, attackers can subsequently move to sectors that are more vulnerable, he said, with Peeler likening the process to a cybersecurity version of Whack-A-Mole.
Sign up for CIO Asia eNewsletters.