By Lucy Kerner, Security Evangelist and Strategist, Red Hat
When it comes to cybersecurity, a lack of resources can be a bigger threat than the criminals who have their sights set on stealing organizations’ data, money, time, and reputation.
Resources have always been a problem when it comes to cybersecurity. You are not always rewarded for doing security the way you are when you develop a new business application quickly. This usually leads to security teams being understaffed and overworked. At the same time, skilled cybersecurity professionals are in high demand, and there is significant turnover in cybersecurity positions.
In fact, when it comes to cybersecurity, a lack of resources can be a bigger threat than the criminals who have their sights set on stealing organizations’ data, money, time, and reputation. This has long been true, but COVID-19 turned the cybersecurity resource challenge into a full-blown problem, causing security to be overlooked in many cases.
In the best of times—or, at least, more normal times—talented cybersecurity resources are difficult to find, expensive to procure, and hard to retain. The pandemic has exacerbated the cybersecurity skills shortage as organizations’ focus and resources have shifted to shoring up, or even building from scratch, work-from-home capabilities. Proactive security has been put on the back burner for many companies, exposing big gaps between the cybersecurity resources.
In a pre-pandemic study conducted by (ISC)2, an international, nonprofit membership association for information security leaders, the cybersecurity workforce gap in the United States was estimated to be nearly 500,000. By combining its US cybersecurity workforce estimates and gap data, the association found that the cybersecurity workforce needs to grow by 62% in order to meet the demands of US businesses today. Using the workforce estimate of 2.8 million based on the 11 economies it studied and a global gap estimate of 4.07 million, the association estimated that the global workforce needs to grow by 145%.
Indeed, respondents to the survey that was used to develop the study said that a lack of skilled/experienced cybersecurity personnel is their top concern, and that the gap puts their companies at moderate or extreme risk. Research for the Ponemon Institute’s 2020 Cost of a Data Breach Report began months before COVID-19 had widespread impact, but supplemental questions related to the potential impact of remote workforces due to the pandemic revealed that 76% of organizations predict that remote work will make responding to a potential data breach more difficult.
With the Ponemon research estimating that the average total cost of a data breach is $3.86 million, preventing a cybersecurity incident in the first place is critical. But all is not lost. Solving the cybersecurity resource problem outright is not going to happen right away, but there are things that organizations can do beyond adding more security bodies. Here’s how to strengthen your cybersecurity position.
1. Establish internal security training and certification programs
Savvy organizations realize that true cybersecurity requires a cultural shift. Essentially, some level of cybersecurity must be part of each employee’s responsibility. That’s not to say that your marketing director will be on the security front lines, of course, but every employee should take part in security education and certification programs. And that doesn’t mean that you can just create a PowerPoint presentation that you force employees to sit through so they can check off a box; it means developing meaningful and relevant programs that engage employees and help them understand the cybersecurity threat and their roles in mitigating it. Think about “lunch and learns,” mock breaches, and even escape rooms.
2. Encourage security cross-pollination
If security is everyone’s job, then security resources should not be limited to the IT department. Think about ways security can cross-pollinate within the organization. Just as security is infiltrating the development arena through the growing DevSecOps movement, security resources could be integrated into other areas, as well. This will not only develop company-wide understanding of security issues, but it will also encourage cross-collaboration and the opportunity to build security into processes, products, and services from the ground up.
3. Take a hard look at your security tooling
Many organizations have security tools they don’t really need or that are out of date and can’t support new technologies such as cloud, containers, or Kubernetes. This wastes time and money. For example, many companies are running legacy security tools designed to protect systems that are no longer used.
Companies also often have too many tools to keep track of, leading to redundant tooling and the inability to manage the growing number of tools. Also, many companies aren’t making full use of security tools that are already built into existing systems, such as the operating system, container platform, or security tooling provided by the cloud provider. A thorough inventory of existing security tooling will reveal what’s needed (and not needed) to address current security concerns.
4. Put a consistent automation strategy in place
With so many moving parts in place, no human or group of humans could ever fill every security hole. Indeed, as IT environments and the world around us become more complex, so do the security events facing IT teams. A consistent automation strategy can help organizations more effectively mitigate risks by reducing human errors, remediate issues, respond quickly to security alerts, and develop repeatable security and compliance workflows.
It’s important to note, however, that automation isn’t one product or even a collection of products. Organizations should look for an approach that overlays a consistent automation strategy across app dev, infrastructure, security operations, and so on. In fact, Ponemon’s Cost of a Data Breach Report noted that organizations with fully deployed automation—versus those with no automation deployed—realize a savings of $3.58 million in average total cost of a data breach.
Is the cybersecurity resource problem unsolvable?
It’s true that, realistically, the resource problem can’t be completely solved, but it’s a problem that you can effectively address and manage with proactive planning, strategic technology implementation, and widespread, ongoing, and engaging security awareness training and collaboration.