Like many of us I tend to notice articles flagging up the next big skills set demand wave. Recently an article caught my eye proclaiming that now is the time to have cyber security skills. A recent study called Global Information Security Workforce 2015 released by (ISC)2 reports that there will be an estimated 1.5 million people too few with skills in this key area. The study has been conducted annually since 2004 reporting a workforce shortage at each time, however it seems that the supply to demand gap is now accelerating.
The importance of this workforce aspect in relation to cyber security demands is also highlighted in a report I recently read by Accenture entitled “Intelligent Security: Defending The Digital Business“. In it they summarise the most common issues challenging organisations in having an effective response to cyber security, namely:
- Linking security and business.Tie security programs to business goals and engage stakeholders in the security conversation.
- Thinking outside the compliance (check) box.Go beyond control- or audit-centred approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.
- Governing the extended enterprise.Establish appropriate frameworks, policies and controls to protect extended IT environments.
- Keeping pace with persistent threats.Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.
- Addressing the security supply/demand imbalance.Develop and retain staff experienced in security architecture planning and design, tools and integration to increase the likelihood of successful outcomes.
Supporting the report they also have a very good infographic that is worth a visit “Take A Security Leap Forwards“.
The point Accenture make that compliance to a given industry’s cyber security regulations is only a good starting point particularly resonates. This is a discussion I have had many times over recent months with colleagues. Meeting compliance requirements is only the minimum level to achieve. It also often tends to be associated with relatively static time based audits rather than real-time monitoring and indeed adaptation. It is pretty clear that the sophistication of externally originated cyber-attacks evolves extremely rapidly. The points attacked are those where defences are strongest and in the hyper-connected digital world securing the perimeter or specific “citadels” within that perimeter is challenging. The defenses need to be real-time, automated, holistic and appropriately funded to both meet the risk and reflect the asset value.
It seems to me that the last year or so has seen a growing understanding of the importance of the Chief Information Security Officer (CISO) role. Based on hearsay it seems that they are having an easier task in obtaining adequate funding for their function. Of course the tooling needs to match the sophistication and evolutionary pace of the cyber attackers. The CISO needs to be enabled to engage with new and disruptive technologies as their emerge so they can define a layer defensive strategy that does not become perceived as a blocker but rather adding value and an absolute necessity. Constructive, frequent and open access to the senior leadership team of any business is critical for a CISO that is empowered to bring real value to their organisation. Often the decision points will be difficult as concepts such as innovation, agility and pace are confronted directly by valid concerns on information integrity and protection appropriate to the value it represents.
As ever in the world of technology there is money to be made by vendors providing tooling that enables appropriate levels of security in the digital world. A recent Financial Times article by Hannah Kuchler highlighted that the cyber security market is now estimated as a $15bn-$20bn over the next three years. The article reports that venture capital funding flowing into this area exceed $1bn for the first time in the first quarter of 2015. Apparently the venture capital funding for the whole of 2014 for cyber security was $2.3bn, itself an increase of 33% over 2013. The money is certainly flowing into the cyber security space. Given the recent experiences of Sony and the publication of information the hackers extracted by WikiLeaks it does start to seem rather unsurprising.
All that said I do think many organisations face their biggest cyber security risk from threats that are far from new to us. The first is the often depressing factor of your own company’s people doing something that in hindsight they would fully accept as being dim. This is often despite the act exposing the corporate information being heavily and frequently communicated as unacceptable. However, in my career to date the threat that has caused me most issues has been obsolete software. Obsolete software that is not listed in the IT asset database and might be lurking under a desk or part of the “shadow IT” world procured on a credit card and forgotten. This software is no longer being actively patched for security vulnerabilities by the vendor. It is so easily missed and the first time you become aware of its existence might well be a very unfortunate moment. Sounds trivial compared to the sophisticated cyber attacker but it does represent an easy access point for them. There are many examples of obsolete software that has been around long enough to be very well embedded. The next one I think might create a few issues for many of us is MS Windows Server 2003 which goes out of support in mid July 2015. Might be worth another check to be sure you will have no surprises in late July?
Image via Shutterstock.com.