Ask any person on the street what cloud means, and you are likely to get as many strange and funny responses, as wrong and false ones. Rarely the answer would be specifically related to a technically simple definition. It is a similar scenario when it comes to security, or cyber security. If we ask security professionals, their definitions might vary as well, yet all agree that the cyber security goal is to protect companies’ most valuable assets.
But with Gartner predicting that by 2020, “anything other than a cloud-only strategy for new IT initiatives will require justification at more than 30% of large-enterprise organizations,’’ this creates real challenges when it comes to security and privacy. The fixation on “the digital transformation” is spreading through all business industries, including financial institutions.
Every day, I attempt to raise awareness about the risks adopting new technologies and the importance of mitigating those risks for the longevity of the business. In all the years I have conducted this exercise, I realised how difficult it was for non-technically savvy professionals to estimate, relate and calculate their cyber risks, and report them appropriately to the board or business owners with some clear numbers around ROI. While the data is business owned, it is widely common to attribute the task to the cyber security department and transfer the responsibility to the IT/security manager. This is of course, a realistic scenario where several small to medium size companies do not hire cyber security professionals, but rely on one and unique IT manager, who is pressured to implement security technical controls.
The described situation for the businesses is mainly due to the initial situation that I have described and the lack of understanding of implications when a new technology is adopted to drive the business. It is also related as well to the fact, that commonly cyber security professionals have an IT/technical background and therefore have a different view or approach to business, creating challenges to communicate with the business owners and sharing the risks involved.
Businesses have fears around budget increase and a lack of profitability, especially when external shareholders are involved. These fears are felt due to the fact that the risks are not well understood, and therefore they are not appropriately presented to the board or business owners.
If I look at my past, and my studies, information security has not been addressed during my primary, or secondary studies at any point. That said, it is also related to the fact that there was still very limited access to the Internet. I have started learning about information security when I have already made a choice about pursuing my career in technology and engineering.
Currently, schools are also concerned by the digital transformation, where kids from a very young age are immersed into a universe of new and distributive technologies, accessing information and sharing their own data without proper guidelines. The evolution of our behaviour and actions should be shaped already when we are in primary level, where the foundations are built on a deep ground for understanding of technology implications. When I was 6, my mum gave me the key of the house, and she kept on saying do not open the door to any stranger. We should mirror that “physical’’ behaviour with our kids when they have online access and always provide them guidance related to the risks of online exposure.
In keeping with this attitude, we will build technology savvy communities, and not only “blind’’ users, who choose popularity, accessibility and comfortability over security and privacy.
The current general awareness landscape and low maturity level of the general public around cyber security and cyber risks confront the security professionals to undue pressure and excessive number of overwhelming tasks, commonly unaligned with the business goals and strategy. This as well, related to a global skill shortage that is being observed and will require at least a few years to be properly addressed.
That’s the main reason why in this National Cyber Security Awareness Month, I encourage to think critically about how to build your cyber security team and address the current situation, building cyber resilient organizations.
Instead of searching the security professional to undergo the technical tasks and configure firewalls, I suggest challenging diversity and certifications to open the opportunity for various profiles to join the industry. Cyber security is not a technical field only, it does address risks due to technological adoption, and therefore requires a various pool of skills to understand, address, communicate, and mitigate the risks. Cyber security isn’t a scarcely-defined field, where one skill set can cover the entire spectrum.
In fact, the following excerpts highlight my findings:
- Only a third of organizations believe they have adequate resources to manage security effectively. (Source: Ponemon Institute – Link)
- Millennials love the cloud and 70% of millennials admitted to bringing outside applications into the enterprise in violation of IT policies. (Source: IDC and Wired. Link)
- 78% of people claim to be aware of the risks of unknown links in emails yet click on these links anyway. (Source: Barkly Link)
- Skycure reports that 21% of organisations have traced a data breach to their BYOD program. (Source: Skycure Link)
- Two-thirds of UK small businesses don’t think they’re vulnerable to cybercrime. (Source: Gov UK Link)
- Only 7% of businesses have good visibility of all critical data. 58% say they only have slight control. (Source: Forcepoint - Link)
- 87% percentage of enterprises say they require up to 50% more budget for cybersecurity. (Source: EY - Link)
- 29% proportion of respondents in a survey of 9,500 executives from 75 industries in 122 countries who said CISOs bear the responsibility for IoT security. (Source: PwC - Link)
- The cybersecurity workforce shortfall will range from 1 million to 2 million positions by 2019, according to the Center for Strategic and International Studies. (Source: UPI - Link)
Currently the cyber security professionals have not managed to accomplish their goal of protecting the business’s most valuable assets in an effective way and to advocate for security and privacy by default with an intentional approach to integrating those values in business specifically and in society, generally. We need the skills now, more than ever, and bringing in other profiles to your security teams might serve to shift the current situation and address the challenges sited above. The CISOs should embrace the notion of diversity broader than gender, ethnics, etc. They should consider hiring lawyers, psychologists, marketers, etc in their teams. Major future cyber threats include scams with advanced social engineering tactics and data compromise due to cryptocurrency trading for example. That said, it would be very beneficial to have a psychologist to address those types of threats, and a marketer to address efficiently the cyber awareness campaign, instead of a PDF or PowerPoint that the employees do not read or understand.
In my RSA Conference 2018 Asia-Pacific & Japan panel discussion with Ms. Narelle Devine, Chief Information Security Officer for Australia's Department of Human Services, whose staff has grown from 25 to about 200 in the last two years, we address this topic and Ms. Narelle specifically mentioned: "You actually also need psychologists, you need lawyers, you need intelligence specialists and you need people that can communicate, so we needed marketing people and communications people."
Ms. Devine and I both agreed that re-training and upskilling those who are passionate about cybersecurity but may not have an IT background or market-popular certifications is an efficient way to address the cyber security skill gap and provide a more adapted and result-oriented strategy for CISOs.
On those notes, I wish you all a critical-thinking cyber awareness month 2018!