Cybersecurity means investment in people, not services

Just employing a Computing Science major doesn't mean your cybersecurity is sown up for good – you need a constant investment.
19 November 2018

European students compete during the finals of the Cybersecurity Awareness Week. Source: AFP

Demand in the education sector for computing courses is on the rise. Students looking to their futures are considering careers in computing across the board, for a number of reasons, least of all the definite financial rewards on offer.

Of course, computing (whether as a course choice for 18-year-olds or as a career), is an expansive area for specialism. Developing the next version of Fortnite or CoD may be seen as the height of glamor in some quarters, but the rise of cybersecurity threats and breaches might, we hope, direct talented would-be professionals to the area of IT security.

In the enterprise space, there are quite a few misnomers about IT security in general, often coming from sources that we might think should know better. Sweeping generalizations about AV, firewalls, IDS and staff vigilance are all well and good, but the type of pro-active approach needed to protect any company from cyber threats requires very specialist knowledge.

Many companies buy-in their cybersecurity. A quick message to known business associates may well ‘solve the problem’, but enterprise-level CSOs need to be sure of the effectiveness of the services they’re getting.

The same problem affects assigning cyber-security to internal IT departments. A CTO, employed for her business acumen and strategic foresight may not have the necessary depth of knowledge required to face down the very latest cyber threats.

Of course, all areas of business require specialist knowledge, from warehouse management to HR. But what decision-makers in the enterprise should know is that the best cybercriminals are the cream of the crop. And a formidable opponent needs a well-trained defense. Cybercriminals will have brains on their side, in all probability, plus they have the benefit of numbers and anonymity.

As an example, when an exploit in an operating system becomes apparent, that knowledge doesn’t usually percolate into the public consciousness until it’s too late. So does your business have the means at its disposal to combat the threat?

The answer is to ensure IT Management is aware of the depth of knowledge required by security teams. Up to date training in the latest ‘white hat’ techniques should be sought, and mechanisms put in place to keep knowledge up to date.

HR function must play its part too, educating users anywhere in the enterprise about cyber hygiene and good practice online. Humans cause the vast majority of malware incursions ‚ not compromised systems.

And if skills are not available in-house, external help should be sourced as a matter of priority. It’s probably worth seeking a third-party supplier whose only forté is cybersecurity, rather than having this crucial area of IT policy as a bolt-on or adjunct from a managed service provider; the latter tend to buy-in services with a markup passed onto their clients.

The adage remains ever-true: it’s not if a cybersecurity incident happens, it’s when it happens. Preparing, then, is a more complicated affair than ticking a box in a list of IT requirements from a single supplier or employing a graduate and letting their education fall fallow.