Four Smart Cybersecurity Investments for CISOs to Bridge the Talent Shortage
The year 2022 is full of cybersecurity challenges for organizations of all sizes and across all industries. Financial margins, competitive positioning, and digital adoption continue to evolve an organization’s attack surface at a historic pace.
The threat of cyberattacks continues to grow, particularly highlighted by the rise in ransomware-as-a-service gangs and the heightened geopolitical tensions around the world. This activity all takes place on top of the increasing risks organizations face because of the widescale shifts to the cloud and remote work. We’ve seen these risks materialize in the form of new board-level concerns, such as the massive Log4j vulnerability that continues to impact security at many organizations.
Organizations must deal with these new challenges while handling some familiar ones, as well. The United States has a talent shortage of approximately 402,000 cybersecurity professionals, according to a 2021 survey by (ISC)2. As we continue through 2022, addressing the cybersecurity workforce gap will remain a top priority for organizations to alleviate instability and increase predictability in the performance of our cyber programs.
Professional groups, industry leaders, the education sector, and even the U.S. federal government are all taking steps to address the shortage through awareness campaigns, recruitment strategies, job matching initiatives, and more. But developing the next generation of cybersecurity professionals will take time. Unfortunately, time is a resource in short supply while the world continues to spin. Boards and investors do not consider staff attrition and an inability to attract talent as acceptable justifications for failing to deliver on cyber resilience.
Huge enterprises like Bank of America can afford to spend $1 billion per year on cybersecurity to recruit top talent and invest in the most advanced technologies, but most organizations don’t have that level of budget.
It has become unsustainable to maintain resilience with staff alone.
Yet we must still address mission-critical cybersecurity vulnerabilities and stave off threats, and do it while managing numerous open, critical cyber roles in our organizations.
I spend much of my time thinking about these challenges, and how my organization can more effectively address the macro challenge in skills and availability across the job market.
Here are four ways to be the most effective at addressing the cybersecurity talent shortage by maximizing the investments I can make in talent, technologies, and services.
Automate and partner to provide agility and scale.
Empowering our unique talent and arming them with the tools they need for stable and predictable operations is critical. It’s also important to invest in artificial intelligence (AI) and machine learning technologies that can help support your security team, streamline processes, and create efficiencies. Investing in them is important, but ensure you have a sense of “what does good look like?” By understanding how these tools should be deployed most effectively, you can minimize the tools generating worker frustration and unpredictable costs.
For example, tools such as Security Orchestration, Automation, and Response (SOAR) platforms can automate the detection and response playbooks and process workflows. A SOAR cannot provide playbooks tailored to your business or off-the-shelf processes that for excellent business process management (BPM). Instead, define the use cases prior, assess your process maturity, and identify who is going to maintain these tools post-deployment to ensure they continue to maintain their value.
Suppose you don’t have the cybersecurity expertise in-house to deploy and optimize and manage a complex technology platform on an ongoing basis. In that case, you may want to consider enlisting the help of a third-party vendor. The question then becomes: Do you need staff augmentation, or is there any value in tapping into a mature managed security services provider (MSSP)? That answer may vary pending your business needs, but one process moves the staffing problem to a partner while the other leverages the economic strengths and intelligence of a mature MSSP.
Invest and empower your cyber talent.
It is a competitive market. Internal knowledge, culture, and passion are the unique superpowers of your security team. Security organizations are often under a tight budget that may not account for the cost of hiring talent as part of the financial risk analysis. Automation can help provide capacity by alleviating time sinks in the program, but automation does not replace the key influencers that plan, build, and instill cyber resilience in an organization. People are the key to staying ahead of threats in the ever-evolving cybersecurity threat landscape and growing attack surface. However, it has become unsustainable to maintain resilience with staff alone. Most of us can’t afford to hire an army of cybersecurity analysts, nor could we due to the cybersecurity labor shortage.
If hiring a large number of analysts is challenging, what should we do? Aim to invest, cultivate knowledge and skills, and stimulate the passion of your existing cybersecurity staff. Create strong training programs to help individuals learn new skills and keep their existing abilities sharp year-round. Build a supportive culture to ensure a high-performing cyber defense program and to stave off employee burnout while ensuring the continued growth of individual team members. Establish mentorship and career path programs to support existing team members in their growth and provide feedback year-round, not just during annual performance reviews.
Developing a strong team culture provides your security experts with the resources and support they need to thrive in their jobs and keep them engaged, which reduces turnover and strengthens your organization’s defenses.
Invest in your non-security staff. Security is a team sport.
Eighty-two percent of data breaches reviewed in Verizon’s 2022 Data Breach Investigations Report involved the human element. With more organizations now operating permanently remote or in hybrid work situations, and 90 percent using cloud computing, the threat landscape has expanded. It’s more important than ever to arm every employee with the knowledge and training necessary for strong cybersecurity.
Employees are naturally more distracted as they move back and forth between working at the office and remotely. They may also be working from insecure home networks or compromised personal devices. All this makes them more vulnerable to social engineering and phishing attacks. So, it’s vital to ensure rigorous and ongoing training for all employees on cybersecurity best practices and how to spot threats.
Investing in cybersecurity training for the C-suite is equally important because these leaders can be targeted for spear-phishing attacks. Regular training will help them better understand the importance of cybersecurity, which may move them to allocate more budget to your security program in the future.
Double down on proactive rather than reactive security.
One of the most common mistakes organizations make is remaining stagnant when it comes to their cybersecurity defenses, simply maintaining the status quo. Plan, build, test, and run sounds like a sequential list of activities, but look at these four tracks operating continuously and in parallel. The National Institute of Standards and Technology Cybersecurity Framework, ISO 270001, and the Center for Internet Security’s Top 18 Critical Controls all provide great frameworks to develop roadmaps.
The next step is to think about the operating model outcomes. Think about how your organization can shift its cyber defense program from reactive to proactive. Organizations should consider predictive analytics—not only to react to rear-facing trends but also to proactively look at cyber resilience analytics to begin to model with business decisions in the future.
There is one hurdle that cannot be avoided when making this shift. That is threat intelligence program maturity. Shifting the mind-set from threat intelligence feeds to what threat intelligence outputs are required for continuous situational awareness of the program and what people, processes, and technologies we require to make that achievable takes time and resources. Utilize penetration testing, red/purple teaming, threat hunting, deception, and reactive intelligence from business operations, including fraud operations, network operations, and human resources. Continuous planning, building, testing, and operating the program while tapping into the value of a threat intelligence program is a powerful combination to plot a pathway to proactive operations.
Cyber threats continue to grow, and the attack surface will continue to evolve. But by investing in automation with capable machine learning, existing cyber expertise, and training employees while doubling down on proactive security practices, CISOs can maximize their budget while developing the scale and agility to provide the necessary cyber resilience to the business.
Kory Daniels is CISO at Trustwave. During the last 15 years, Daniels has overseen and supported the evolving requirements in helping organizations define, measure, and accelerate achieving their security maturity targets with fast growing midmarket firms to Fortune 500 global enterprises.
© Kory Daniels