Managing Security Resources: It’s All About People and Awareness (Part I)

Tuesday, December 01, 2015

Steve Durbin

D36d0936f0c839be7bf2b20d59eaa76d

Organizations worldwide continue to struggle to attract and retain skilled information and cybersecurity professionals. Overcoming this challenge requires a more imaginative, business and people-centric approach to the recruitment of security professionals. However, once you have the right people in place, it is imperative to retain them and use their skills to embed positive-information security behaviors throughout the organization.

Businesses continue to heavily invest in ‘developing human capital’. The inherent idea behind this is that awareness and training always delivers some kind of value with no need to prove it - employee satisfaction was considered enough. Unfortunately, this is no longer the case. Leaders, now more than ever, demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their skills, and overall value, is becoming a business imperative.

Skills Gap

Wherever I go these days, I’m always hearing about a cyber security skills shortage. Figures are quite mind boggling actually. In fact, the seventh annual (ISC)² Global Workforce Survey, conducted by Frost & Sullivan, was released earlier this year and it found that there will be a shortage of 1.5 million information security professionals by 2020. Interestingly enough, this shortage was cited by nearly half of cyber-security staff as a key reason for data breaches. This will certainly have a heavy impact on customers moving forward.

So how do we deal with this?

In 2014, the US Senate unanimously passed the Border Patrol Agent Pay Reform Act of 2013, which incorporates the Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act. This bill strengthens the cybersecurity workforce at DHS by granting the department secretary personnel authorities, similar to those of the defense secretary, to hire and retain cybersecurity professionals. This legislation will set the tone for qualified individuals to come into the field, a field which is certainly underrepresented.

One of the things that strikes me is, yes, we are facing a shortage of skills, but we are also looking at a forecast that says there is no quick fix. While we continue to attract the right level of interest in what we are doing, and while we continue to work with Universities and passing needed legislation, we must realize that we do have a problem on our hands that needs to be resolved.

Breaches Continue and Insider Threats Remain

Over the next few years, the number of data breaches will continue to grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Angry customers will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. The resulting mess of international regulations will create new compliance headaches for organizations while doing little to deter attackers.

As breaches increase, a number of them will be the result of insider threats. In fact, the insider threat is unlikely to diminish in the coming years. Efforts to mitigate this threat, such as additional security controls and improved vetting of new employees, will remain at odds with efficiency measures. More insiders with malicious intent will emerge as more people place their own ethics and perceptions above those of their employers. Corporate activists will get better at gathering information and bringing it to the media and public’s attention. Criticisms will go viral and information that comes from credible insiders will spread rapidly, be picked up faster and see increased media exposure.

Third Party Providers

In my own research, I wanted to find out if there was any real correlation between the skills shortage, the move to engage with third parties and if there was any empirical evidence that this was having any impact on the way that businesses were doing their daily business, or on the security threat landscape itself.

Results from the 2015 Vormetric Insider Threat Report show that insider threat awareness levels have increased. Only 11 percent of respondents felt that their organization was not vulnerable to insider attacks and an overwhelming percentage (93%) were looking to increase or maintain existing spending on IT security and data protection in the coming year.

So, with a major skills gap and the threats of insider threats looming, how do we find the right people?

We don’t have the right resources inside, so we are going to have to go outside. As such, service providers will become more of a vulnerability than ever before. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Information shared in the supply chain can include intellectual property, customer or employee data, commercial plans or negotiations, and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, all of whom share access to your most valuable data assets.

To address information risk in the supply chain, organizations should adopt robust, scalable and repeatable processes – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations.

Outside of third party providers, organizations should also be concerned about “big data”. The massive volume of data that businesses are collecting, including financial transactions, location-based data and customer interactions, is growing exponentially. Problems addressed by big data analytics are those for which insights and answers arise from analysis of vast, complex or disparate data sources. Executives tasked with managing company data must find the delicate balance between everyday data management tasks and effectively leveraging data through both analytics and analysis.

Big data analytics are already being used for fraud prevention, cyber security detection, social analysis and real-time multimodal surveillance.  When analytics has been used as a security tool, it has been deployed reactively to monitor security incidents or discover breaches. What we’re now seeing is a massive, exciting opportunity for organizations to use analytics to be more proactive and forward looking about their cyber security.

So where do the challenges lie?

The business problem that we need to get our arms around is that organizations are gathering and holding onto a lot of sensitive information. This data is being held in the cloud and shared with third parties. Since we consistently have to work collaboratively with third parties, we are opening up a number of vulnerabilities. Business partners, contractors and service providers all present risk to the organization.

In Part II, I'll take a look at a number of different ways that businesses of all sizes can evaluate their organizational risks. As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. 

Possibly Related Articles:
15467
Cloud Security General HIPAA PCI DSS General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Operating Systems SPAM Viruses & Malware Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General
Careers cybersecurity
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.