According to the (ISC)² Cybersecurity Workforce Study, nearly one third of respondents said that it’s been challenging to respond to cybersecurity incidents due to skill shortages within their team. While we have known for some time that there is a cybersecurity skills gap, when you hear executives say the staff shortages results in “misconfigured systems, not enough time for risk assessment…and slowly patched critical systems.” it gives you pause. Recently I sat down with cybersecurity experts Harris Health System CIO/SVP David Chou, Berkeley Varitronics President and CEO Scott Schober, and cybersecurity expert Shahid M Shah—for a rapid-fire Q&A session on today’s most pressing cybersecurity challenges.
Q1: What do you see as the top cybersecurity challenge for the coming year?
A1 (Chou): Cybersecurity is suffering from a critical staffing shortage. According to a recent ISACA poll, 61% of cybersecurity teams are understaffed. About half of the ISACA poll’s respondents also believe that their applicants are underqualified. This cybersecurity skills gap is a huge challenge. The combination of worker scarcity, increasingly complex cyberattacks, and the accelerating implementation of advanced technologies by our organizations—which inherently increases our threat exposure—is raising our risk level well above both our individual and collective tolerances.
Q2: What impact is COVID having on SecOps teams that are already spread too thin?
A2 (Schober): We need to understand that the COVID pandemic has upended families, relationships, and schedules outside of work. In fact, by shifting many employees to work remotely from their homes, we’ve actually become extended members of our employees’ families. And, as we all know, family dynamics can be complex and take months or even years to sort out—especially when it comes to what we might term their “divisions of labor.” Managers therefore need to be patient when it comes to employees and their families adapting to the “new normal.”
Q3: Isn’t COVID also affecting SecOps by dramatically increasing remote work generally?
A3 (Shah): Absolutely. In fact, my sense is that most organizations are still insufficiently concerned about—or, perhaps more to the point, not doing enough about—the kind of anomaly detection that is essential in the new post-COVID world of mass remote work.
Of particular concern is the sudden spike in the use of fully decentralized SaaS applications. Data and other intellectual property are now being spread across vastly more locations and more apps without the metadata tracking or provenance mapping that we need in order to have reasonable visibility into what data is going where.
Zero-trust frameworks are obviously useful here from a basic cybersecurity best practices perspective. But if we don’t implement appropriate additional measures like anomaly detection, we are not facing the reality that enterprise computing has been fundamentally altered by the fact that the pandemic has dispersed our data much more broadly than it has ever been dispersed before—and that the vulnerabilities created by our now-colossal volume of home-based (i.e., fixed-point) remote work is of an entirely different order than the relatively small amount of mobile-based (i.e., transient-point) remote work we were focused on pre-pandemic.
Q4: So how do we address the yawning gap between staffing shortfalls and escalating risks?
A4 (Schober): To address the cybersecurity skills gap, one approach to consider is focusing less on candidates with specific advanced degrees and instead becoming more open to hiring candidates with a mix of practical skills and technical qualifications. There are several reasons to consider this approach. One is that flexibility and adaptability are truly critical attributes for SecOps teams during this transitional time in the workplace. Also, SecOps teams need team players who are adept at collaboratively leveraging AI, cloud computing, and remote communications in new, creative, and productivity-enhancing ways or even engaging partners who can help execute sophisticated threat hunting.
And third, you should never be afraid to invest in your current employees. By up-skilling/re-skilling the team you have, you do more than just improve their technical abilities. You also build morale—which is way more valuable to your organization than you may realize— and avoid all the costs and disruptions associated with employee turnover.
Q5: Any other tips for getting maximum business bang out of every cybersecurity buck?
A5 (Shah): Most IT organizations still aren’t mapping vulnerabilities and threats to actual business risks in context of their organization. This leads to two problems. First, it undermines the ability of the business to appreciate the magnitude of the risks to which it is exposed. That adversely affects everything from “hard” issues like funding to “soft” issues like appreciation and influence.
Second, without an accurate mapping of vulnerability to business risk, you can easily wind up over-allocating costly resources to what are actually small problems and under-allocating resources to what are actually potentially existential problems.
A lot of this happens because IT organizations get so overwhelmed by the need to protect infrastructure assets (servers, storage, switches, etc.) that they take their eyes off protecting information assets (data, user identities, etc.).
Trending: The Shift to MDR
I always enjoy speaking to other cybersecurity experts and trends they are seeing in market. One trend that we are seeing, as organizations look to not only reduce their risk but also maximize their existing investments and address the cybersecurity skills gap, is investing in Managed Detection and Response (MDR) services. In fact, Gartner® predicts that by 2025, 50% of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment and mitigation capabilities1.