Corporate security is near the top of the list of CIO concerns for 2023 — but a security skills shortfall is also a problem. What can companies do to bring up the slack?
In 2022, cybersecurity firm Fortinet conducted research that revealed 80% of organizations suffered one or more breaches that they could attribute to a lack of cybersecurity skills and awareness, 64% of organizations experienced breaches that resulted in lost revenue or cost them fines during the past year, and 38% of organizations reported breaches that cost them over one million dollars.
In the same report, 60% of survey respondents acknowledged that they were struggling to recruit cybersecurity talent, 52% said it was hard to retain the security talent that they had and 67% said that the shortage of qualified cybersecurity employees was generating risk for their companies.
SEE: Mobile device security policy (TechRepublic Premium)
The confluence of these factors makes enterprise security — and being able to maintain it with on-staff security professionals — a major priority for CIOs in 2023. At the same time, the burnout experienced by many IT security professionals, and the insistence upon supplementary education, high salaries and company investments in resume-enhancing certifications, are making it difficult for many organizations to attract and retain talent.
Companies who can’t find the help they need should use a two-pronged approach that builds security awareness and skills while also reducing risk.
How to build your organization’s security awareness and skills
Invest in your existing staff
The best sources for raw talent are in your pre-existing networking and system groups. Individuals in these groups already have a sound grasp of IT infrastructure, where most security attacks are likely to manifest. They can build upon this infrastructure foundation by adding cybersecurity skills, and they will also buy into the organization long-term when they see you are willing to invest in their education, certifications and career opportunities.
Assign someone on your staff to be a security analyst
IT security analysts research trends and security incidents around the world so you can anticipate what the security threats of the future will be and be ready for them. Most companies don’t have this position, which is why they get caught flat-footed when a new security threat emerges. Cybercriminals work 24/7 to develop the “next best attack.” Your company should be forward-thinking and proactive about security as well.
Create a budget reserve for security
IT departments budget for security threats they’re already aware of, but nothing is allocated for the threats IT doesn’t know about yet. If an unforeseen threat emerges, you have to have the budgetary wherewithal to purchase the tools to fight it. A reserve budget that can be activated for that purpose without having to go through lengthy budgetary exception approvals should be in place.
Make security awareness a cultural trait in your organization
Employees are a major source of security breaches. Unfortunately, many companies relegate employee security training to the fundamentals of usernames and passwords. Security policies might be stated in an employee handbook that hardly anyone reads.
It’s not good enough. Employee security training, policies and practices should be fully and clearly documented, reviewed annually with employees and continuously emphasized by the CEO, the CIO, HR and other C-levels executives so they are deeply ingrained in your workforce.
How to reduce security risk in your organization
Perform regular security risk assessments to identify vulnerabilities
For organizations that can afford an internal audit group, internal auditors should perform quarterly security vulnerability audits at a minimum.
Annually, every organization should also budget for an external audit. The external audit should include a checkout of IT systems and networks, security vulnerability testing, and a review of security policies and procedures. It should also include a social engineering audit, which reviews the security practices of employees throughout the company and checks for vulnerabilities.
Include security in your RFPs with IT vendors and outside suppliers
Just because you have rock-solid security practices doesn’t mean your IT vendors and your company’s business suppliers do. The security standards that you expect of your vendors and suppliers should be enumerated in the RFPs that you issue. This lets your business partners know that security in their own systems and practices is a precondition to doing business with you.
Secure the edge of your enterprise
Globally, there will be over 25 billion IoT devices in use by 2030, and enterprises will be major users. With the growth of remote employee workforces and the distribution of more IT to the edges of enterprises, it will be imperative for IT to provide the same robust security at the edge as it does in the data center.
To patrol the edge, IT will need to do these six things:
- Implement zero-trust networks that can monitor and administer employee access and permission levels.
- Administer timely security updates for all edge IT assets.
- Set security on all new incoming IoT devices so they conform to company standards.
- Provide secure physical cages for IT equipment at the edge when it is not in use.
- Ensure that edge employees and managers are thoroughly trained in IT security policies and procedures.
- Include IoT edge and cloud in your DR plan and test them.