A recent RAND Corporation study based on interviews with 18 chief information security officers (CISOs) found that while companies are spending more and more on cyber security tools, they aren't confident their data is secure, and many CISOs believe attackers are gaining on corporate defenses.

Even though worldwide spending on cyber security is approaching $70 billion a year and is continuing to grow at 10 to 15 percent annually, many CISOs told RAND they believe hackers may gain the upper hand between two and five years from now.

Still, there is reason for hope. "Despite the pessimism in the field, we found that companies are paying a lot more attention to cyber security than they were even five years ago," RAND senior management scientist and co-lead author of the study Martin Libicki said in a statement.

"Companies that didn't even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them," Libicki added. "Core software is improving and new cybersecurity products continue to appear, which is likely to make a hacker's job more difficult and more expensive."

Notably, when asked what they would do if provided with more funds for cyber security, the majority of CISOs focused on human-centric solutions such as security awareness training, increased cyber security staffing, auditing networks for preventable faults, and conducting behavioral-focused analysis of attacks and attackers.

"Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker," RAND researchers and co-lead author of the study Lillian Ablon said in a statement. "Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research."

And Rapid7 global security strategist Trey Ford told eSecurity Planet by email that it's clear the field of cyber security is being tested aggressively. "CISOs hold an incredibly challenging post, as the title is roughly just 17 years old, and the lessons learned by those in this office are shrouded or entirely prevented from sharing due to external and internal NDAs and shareholder concerns," he said.

"CISOs are still grasping at how best to report security program performance to the board, and it comes as no surprise that corporate executives are managing to public perception of security and data safety," Ford added.

The full RAND report, sponsored by Juniper Networks, is available here.

Photo courtesy of Shutterstock.