Regardless of the changing types of attacks one consistent threat regularly hits the top spot; people. The human factor all too readily providing misplaced trust and casual clicks that lead to media fanned disaster. It’s a valid concern but the problem that I’m seeing rise fastest is the worrying lack of trained cyber security staff to help businesses protect themselves, and to respond when things go wrong. The situation is only getting worse – it is predicted that around 2 million cybersecurity roles will be left unfilled by the end of 2019. There’s no quick fix for finding that amount of people…there’s no 4 day training course for this one.
Assuming that these people are not going to magically arrive at your doorstep, what should we do to alleviate the resource problem in the short-term?
• Cross-train existing IT staff to assist with some security duties? In that case we first need to free up some time from IT. With it being estimated that spend on network operations is between 2 and 3 times the cost of the network it’s clear that something needs to be done to reduce the complexity of everyday tasks – and hopefully significantly reduce mistakes at the same time. Whilst on the training theme, why not provide better (read more impactful) security awareness training for all staff? Maybe the once a year phishing training isn’t quite what it was cracked up to be?
• Help automate processes between security and management systems. With the average enterprise now having over 35 separate security products there’s a need to streamline how we can access the useful information from each – and to share that context between systems. Remember, with the skills shortage also provoking wage rises the chances of having fully trained staff on each and every product is increasingly slim. Anything that can save time on getting the most relevant info from all platforms, and therefore save time on individual investigations has to be good thing.
• Make sure we’re investing time and money in the right areas. Security is always full of this year’s silver bullets – some will stand the test of time, some probably won’t. Regardless, we have to get the basics nailed down first to provide a secure foundation for future projects – there’s very little point in investing in the latest generation monitoring system if we’ve left the front door wide open.
• Finally – and this is one aimed squarely at the providers of security solutions – we need to provide solutions that don’t impinge on the user and business experience; otherwise we only pre-empt the worse outcome for everyone which is to simply do nothing.