The missing link in cyber resilience?
- Published: Friday, 10 July 2020 08:40
Organizations need to embrace a mindset of continuously identifying - and closing - gaps in their cyber security posture to ensure the organization is as secure as it can be. To achieve this a person, or team, needs to be appointed to this role says Matt Cable.
At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cyber security industry clearly has some gaps to fill.
But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern. To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.
Evidentially, ensuring cyber security employees and teams have the right skills to keep both their organizations and their data safe, is essential. However, as well as ensuring they have access to the right skills, organizations should also embrace a mindset of continuously identifying - and closing - gaps in their cyber security posture to ensure the organization is as secure as it can be.
Infrastructure security versus infrastructure connectivity
There is a big misconception within cyber security teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organizations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other.
What organizations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organizations can then work towards understanding if they currently do possess the right skills to address the challenges.
This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organization truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cyber security be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services.
It’s not what you know, it’s what you don’t know
The pace of change in cyber security means that organizations must accept they will not always be positioned to combat every single attack. Whilst on one day an organization might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organization will not have known that it had vulnerabilities until it was too late.
By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills - either in-house or outsourced - to combat it, organizations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organization will open itself up as a target for many forms of new attack vectors. Instead, accepting that cyber security is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams - with the help of security partners - will never be caught off guard.
Maintaining the right cyber security posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organizations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled.
Matt Cable is VP Solutions Architects & MD Europe, Certes Networks.