Cybersecurity has always been important, but in today’s completely-digital world, it may be safe to say that it matters even more. As the digital footprint and connectivity increases, so do the security risks. Despite it being a must-have for businesses, there continues to be issues with cybersecurity resources. Even security experts themselves understand that this is a problem, with 51% of cybersecurity professionals saying that their organization is at a moderate to severe risk of a security attack. The cybersecurity resource challenge exists for many reasons: you are not always rewarded for doing security, like you are when you develop a new business application quickly. This usually leads to security teams being understaffed and overworked. At the same time, skilled cybersecurity professionals are in high demand, and there is significant turnover in cybersecurity positions.
Plus, the move to digital-first, work from home across industries is exposing new cracks in the cybersecurity landscape. It is clear that there has always been a cybersecurity resource problem, and now is the time to start to solve it through a comprehensive strategy involving people, processes and technology.
COVID-19 and the shift to digital-first
Organizations are always looking to keep their threat landscape as small as possible, but the sudden onset of the COVID-19 crisis forced many companies in financial services and other sectors to suddenly expand their digital walls due to the massive increase in remote access. For all too many companies, this turned the cybersecurity resource challenge into a full-blown problem, causing security to be overlooked in many cases. Many security teams are now being directed to mostly supporting general IT operations and simply may not have the chance to apply security controls to new systems to enable remote working. Organizations are now struggling to adapt quickly to the increase of employees using personal devices for business critical work that could contain sensitive customer information or Personally Identifiable Information (PII), and which may lack important security updates or corporate configuration settings. Even smaller financial services firms that offloaded security to Managed Security Service Providers (MSSPs) were affected, as the MSSPs were just as overwhelmed by the security demands brought on by COVID-19 as their customers. This may cause MSSPs to be unavailable due to dealing with their own workforce disruptions.
The pandemic is also showcasing the staffing issues that have always been here. Before the pandemic, a survey found that there was a cybersecurity workforce gap of nearly 500,000 in the United States, and that to meet all of the existing cybersecurity needs in US businesses, the cybersecurity workforce would need to be boosted by close to 62%.
Solution: Focus on the people
The first area where you can start to solve the cybersecurity resource problem is by focusing on the people, not just in the cybersecurity or IT departments, but across the organization. By allowing all employees to understand the role they can play in keeping the company safe from cyberattacks and breaches, the more empowered they will feel. Start with basic training and development that is accessible to all levels. Interesting virtual “lunch and learns” with security experts, participating in mock breaches, table top exercises, and escape rooms designed to solve security puzzles together as a cross-organizational team are all good tactics to pique cybersecurity interest and do security cross-training across a broader sector of employees.
One of the major cybersecurity resource challenges is that it is a job that has high turnover. Because the skills required are not industry-specific, employers need to make sure they have enough incentives to keep top security talent. Offering opportunities to nurture and develop existing cybersecurity talent is crucial, through programs like funding any IT and security certifications they need, or paying for additional courses. Showing a clear career path and being committed to their success can go a long way. Celebrating successes – even if it is day-to-day success – and acknowledging all that they do can boost morale. While the best security team may be the one that is working behind the scenes, that does not mean they don’t deserve to be recognized. Lastly, when it comes to hiring, be strategic. Think about what skills new hires need to have upfront, and ones that can be taught. A new graduate with a computer science or engineering degree could be a prime candidate.
Solution: Evaluate the current processes
When security becomes everybody’s focus, it no longer remains siloed in the IT or security departments. Therefore, once you’ve engaged more employees on its importance, it becomes time to evaluate the current security processes your organization has in place. Is there a ticket system or hotline for when employees think they are getting hacked or phished? In banks in particular, is there a process for securing sensitive customer information and Personally identifiable information (PII) if employees are using their own laptops? Is security integrated, in an automated fashion, into the application development lifecycle from the start and are the application development, IT operations, testing, and security teams all working together regularly and seamlessly? In other words, is DevSecOps successfully implemented in the organization? It is also important to take a good, hard look at training processes to be honest about where the training gaps are in the organization.
It is also important that all people involved with cybersecurity are aligned and feel comfortable using the solutions and processes in place. It becomes exponentially more difficult to streamline processes if you have one group using one process or solution and the other using another.
Solution: Make sure the technology works for you, and not the other way around
Too often, organizations are quick to blindly throw more resources at a cybersecurity or IT problem – whether that resource is more people or more tools without doing a full analysis of the existing security tooling and resources. If organizations do not fully research their existing and new technologies and tools to understand what will work best for them now and in the future, the technology and tools become another barrier to cybersecurity. Start by doing a technology audit and identifying which tools are currently being used for security. Also identify any legacy tooling in place that may not be compatible with more modern technologies like the cloud, Kubernetes, or containers. Also, make sure you are using the built-in security technologies provided to you by the cloud service provider, operating system, or container platform. Before purchasing any new technologies and tooling, research which tools and vendors may be right for your organization. Do not discount enterprise open source technology vendors!
Once you have completed your technology audit, it is time to start thinking about having a consistent automation strategy across the organization. In today’s increasingly complex world, employees are being pulled in many different directions and in cybersecurity in particular, no human could ever fill every single security gap. In fact, having a fully deployed automation strategy in place could reduce the cost of a security breach by up to 95%, but only 16% of organizations have one in place. An automation strategy can help organizations more effectively mitigate and respond to risks by reducing human errors, quickly respond to issues and security alerts, develop repeatable security and compliance workflows, and allows you to do DevSecOps successfully. For best results, make sure the automation language is modular and easy to learn, so that you can easily hire people who can quickly come up to speed and one person does not “hold the key” on implementing the automation strategy across your organization.
While the cybersecurity resource gap in your organization may seem daunting, tackling this challenge across people, processes and technology can help to solve some of the challenges that it presents. Thinking long term – not short term – is crucial to setting your organization up for cybersecurity success.