Keeping cyber security staff keeps the enterprise safe
As data becomes more valuable to businesses and organizations, so do the profits from cybercrime. And therefore, the pressures are ramping up for cyber security professionals, charged with high-pressure roles to protect the enterprise and all its business practices. Because those practices are currently changing (cloud computing, hybrid topologies, edge installations, mobile endpoints and BYOD), many cybersecurity professionals feel undervalued, stressed, and departments are apparently under-skilled.
A new Symantec survey available here touches on several pain points and some notable specifics, but the executive summary comes down to just a few stats: 97 percent of European enterprises agree that there’s a security skills shortage, with a shortfall at present of 142,000 staff. Of the existing staff, 46 percent feel they are simply too busy to train and up-skill themselves or their departments, and just about half (49 percent) believe their adversaries are better resourced.
Most enterprises dedicate about 8 to 9 percent of the budget on cybersecurity, and in competitive marketplaces, the ratio of spending is unlikely to increase suddenly. Part of the issue is one that’s bedeviled cyber protection measures ever since the first firewall went online: success is judged by a lack of negative impact (i.e., if it’s working, there’s no news to report), and failure that’s placed at the door of under-resourcing looks like an attempt to shift the blame from responsible individuals or specific teams. Even if there were unlimited funds to throw at the problem, most organizations have stated that sourcing suitably qualified new staff takes at least 6, but more like 12 to 18 months.
To address the problem, cybersecurity professionals are adopting several radical approaches to shift their service from a fragmented and reactive stance to one that’s consolidated and therefore able to act strategically. That’s not a change that can happen overnight, but the paper from Symantec does highlight several facets of change that can be considered to help alleviate the situation in which many are struggling.
First idea to tackle the cybersecurity skills gap: think imaginatively.
According to Richard Brinson, CEO Savanti, and former CISO at Unilever, RS Components and Sainsbury’s, options might include “placements, secondments, [or] contracts […] Consider an experienced intern to tackle difficult fundamentals, or lead a transformation […] It might be something simple like creating a part-time role or flexibility in terms of location.”
That last point alone chimes nicely with many studies of IT professionals taken over the previous three or four years. Trained staff are not only aware they are in demand but are also more inclined towards a healthier work-life balance than before. Part-time options or remote working options could be attractive to many, plus a distant cyber protection specialist in a different timezone helps towards the provision of highly skilled staff around the clock.
The Symantec paper, High Alert: Skills Crisis, also highlights the use of different strategies with regards to employment practice. One company used a psychologist to help cyber security staff, with a resultant massive reduction in employees clicking-through to rogue sites and malicious code. Staff educators need not necessarily need to be cybersecurity experts, and it is, of course, the human element in most enterprises that causes a significant proportion of issues (as has especially been the case for five+ years).
Second idea to help keep cyber defenses healthy: invest in tomorrow’s talent, today.
As Dr. Steve Purser, Head of Core Operations, ENISA, and former financial sector CISO says, “you need solid experience to do this job.” To that end, he states, “we need to support them [security professionals] […] from their 20s through to their 40s or 50s.” That means ensuring that training and development systems are in place and provide interesting and exciting challenges to staff.
As we have covered previously, IT staff engagement on an intellectual level keeps the right people at an organization. Dull, repetitive work, where skilled staff feel underutilized usually leads to people looking for more involved roles elsewhere.
Cyber security involves a range of skills, including network infrastructure knowledge, storage technologies, archiving and backups, WAF techniques, research, AI and ML – the potential for a full and engaging career for young IT professionals is all there: it just needs the right management approach to career development for staff.
Third idea to simplify and strategize cybersecurity: consolidate security environment.
Reducing complexity in cybersecurity sounds like a contradiction in terms, but that’s far from the truth. Complex though the techniques of defense (and attack) might be, what can be addressed is the everyday complexity of having to navigate from system to system to manually get an overarching picture of security posture in real-time. A broad-reaching topology and wide range of technology models (hybrid clouds, public SaaS, AWS buckets, variations in endpoints, different VPN apps in use, ad infinitum) mean that the average toolkit required to keep on top of it all on a merely reactive basis is complex and multi-faceted.
The Symantec High Alert series highlights the tension caused by multiple point products and platforms: staff spend too much time running to stay still. Instead, managing cyber defenses holistically with a decreased management burden creates a situation in which digital initiatives from elsewhere in the enterprise (the phrase ‘digital transformation’ is de rigeur in every department and division) can be supported and protected. And at a local, IT department-level, staff will be more productive, more likely to stay with the organization and better able to address the everyday challenges that their career in cybersecurity presents.
Read the full High Alert: Perfect Storm and High Alert: Skills Crisis papers on Symantec’s site (there’s a third released in July – watch this space), and start addressing any issues you may have with shifting to a consolidated platform approach: talk to the Symantec team about Symantec Integrated Cyber Defense.
19 September 2023
18 September 2023