As if the multiplicity and ingenuity of security threats wasn’t enough, businesses are now suffering from a severe shortage of security skills, writes Brian Levine, pictured, Senior Director of Cloud Security and Privacy, Syncplicity.
Whichever study you look at, the findings are stark: whether it’s the Frost & Sullivan poll of 14,000 respondents, which found that two thirds of organisations had too few security personnel; or the ISACA research where 86 per cent of IT professionals say there’s a shortage, while only a third believe their organisation is prepared for a cyber attack.
This shortfall is rapidly reaching crisis point, with yet more research predicting that the workforce shortfall in the information security industry will reach 1.5 million within five years. Given the difficulties associated with securing security talent, businesses are increasingly asking how they are supposed to keep themselves safe in an increasingly dangerous online world.
Organisations of all sizes need to change the way that they think about data security. Rather than seeing cyber skills as a job role to be filled, and security as a matter of patching potential vulnerabilities, businesses need to understand the specific needs and weaknesses of the way they work, and the tools they use. In addition to this, it’s critical that enterprises are aware of the relevant security requirements within the regions in which they operate, including data residency controls which can differ by country. This can seem a daunting task for an organisation that is under-skilled/staffed in its security department, however one way to meet this head on is through working with providers who offer precisely the right blend of technologies to address security issues while enabling business efficiencies.
Understanding your business
Every business is different: from its operations to its IT infrastructure; its ways of working to its corporate culture. Some will place a premium on employee mobility and productivity; others may be focused on issues such as data sovereignty. The starting point for thinking about security must always be: How does the business want to work? With CIOs under pressure to quickly enable user adoption of digital tools, security needs to keep pace with such widespread adoption of new technology.
To protect themselves, businesses need to undertake a thorough audit of their needs from both a security and business perspective. This should encompass such factors as potential vulnerabilities alongside the various technologies that the company uses – or plans to implement – such as remote working, employee devices, and collaboration software. For example, do they understand what tools employees are using to share information, and do they have oversight over what data is being used on these platforms and devices? Do they understand the impact that new regulations – such as the EU’s General Data Protection Regulation (GDPR) or Privacy Shield (once implemented) – will have on their business and operations?
Only once they have this holistic picture of the organisation, its needs and its potential vulnerabilities can a business begin the task of evaluating whether they have the internal resources and expertise to manage security effectively, whether they need to bring in dedicated security talent, or outsource to an external provider. Working with vendors that are well versed in compliance is critical here in order for organisations to feel reassured that their data is not only secure, but also adhering to local laws and regulations. Organisations need to challenge the vendors they work with to not only demonstrate they can meet the relevant security measures needed in their industry, but also to prove they can adhere to the appropriate data residency controls associated with the region in which they operate.
Security that fits
Once a business has a clear picture of how it wants its employees to work, it will be able to identify potential vulnerabilities across its corporate network.
For example, a company that chooses to enable remote working and collaboration, needs to have effective tools such as two-factor authentication, mobile device management, secure sign-on, remote device wiping, and comprehensive policy controls covering every device and software application used by workers. Businesses also need to get to grips with other significant issues, such as shadow IT, and factor these into their overall corporate security policy.
The one thing a business can depend on is that at some point they will fall victim to a data breach or security issue, meaning it’s never too early to start thinking about security and putting it at the top of the agenda.
Who to hire?
Businesses face three simple choices: hire a full-time expert who can manage security, outsource to a third party or use a combination of the two. The advantage of using external companies is that it enables businesses to tap into a wealth of expertise, experience and resources. What’s more, it gives businesses the option of flexibly deploying these resources whenever they most need them, and to meet specific organisational and operational needs.
It’s important that security is seen as an enabler of the way you want your business to work, not a cumbersome additional layer of technologies and processes that hinder working. That’s why it’s so critical for a business to identify its needs and potential vulnerabilities, and partner with a supplier that can provide these functionalities with embedded, best-in-class security. While a good IT security expert can be hard to find, the right skills and expertise are out there. It’s just that, these days, they are more likely to reside within specialist IT providers. However when a business decides to source security technology and expertise, the key consideration must be that their procurement is based on a thorough understanding of its operations and the way it wants to work. That might well require a dedicated internal security specialist who – should you be lucky enough to find a good one – may be regarded as one of the most valuable corporate assets, and treated accordingly.
With the shortage in security skills unlikely to be addressed in the short- to medium-term, however, collaborating with the right partners can help businesses to tap into resources that they may not traditionally have available to them and ensure they can keep their corporate data safe.