Cybersecurity experts are working longer hours and tackling more complex challenges as threat landscapes continue to evolve. Survey data from Farsight Security found that more than half of security professionals work weekends and nearly 30 percent work 10 or more hours a day. But companies still face a jobs shortfall: As reported by TechCrunch, research from (ISC)2 suggests a jobs gap of more than 3 million positions worldwide.
The result is no surprise; cybersecurity professionals are tasked to do more with less and deliver better results. One solution to this problem involves a necessary shift to improve security culture across three key areas: intraorganizational, interorganizational and metaorganizational.
Big Spend, Bigger Breaches
Before committing resources to shift culture and solve security problems, enterprises need to know what they’re up against. When it comes to defending against advanced cyberthreats, organizations face multiple areas of concern.
According to Forbes, companies must be ever-vigilant for the “Big One,” the cybersecurity incident that will have disastrous consequences for a major enterprise, key infrastructure or even society as a whole. Add in the ever-present threat of smaller breaches due to new exploits or existing vulnerabilities, combined with the need to remediate these issues ASAP, and it’s no surprise that the global cost of cybercrime could reach $6 trillion annually by 2021, according to Cybersecurity Ventures.
RSA Conference 2019 had a simple theme: “Better.” The notion was a catchall, a way to acknowledge that all areas of cybersecurity — from frontline defenses to detection systems to user access processes — require ongoing support and improvement. As noted by ZDNet, however, this growing emphasis on continual improvement speaks to the ongoing success and increasing scope of new threat vectors; despite the industry’s best efforts, threat actors are still coming out ahead.
Speaking of IT threats, information security professionals are faced with an evolving marketplace, one in which cybercriminals are willing to collaborate on new projects and cultivate as-a-service alternatives to compromise corporate networks. For example, CSO Online reported that attackers are now targeting enterprise video conferencing systems with internet of things (IoT) botnets, while Futurism spoke to the rise of the industrial safety system-disabling malware Triton — unchecked, this kind of infection could cause both financial and physical harm.
Mind Over Matter?
While C-suites have embraced the notion of cybersecurity as a business driver, effective change demands expert support. As noted by the MIT Techology Review, security professionals are stressed. Cybersecurity conferences now regularly feature community health sessions and tracks dedicated to helping IT experts manage their stress and ensure job demands don’t lead to negative consequences in other areas.
What’s stressing IT right now? A quick rundown includes:
- Malware-as-a-service (MaaS) — According to Bleeping Computer, MaaS markets are rapidly expanding as malicious code makers recognize the value in selling and supporting threat infrastructure rather than assuming the risk of a direct attack. These markets “provide a huge trove of malicious tools and services.”
- Missing money — Spending isn’t keeping up with new cyberthreats. As Forbes pointed out, while some institutions such as banks are ramping up their infosec budgets, others — such as government agencies that regulate critical utilities like power and water — aren’t keeping pace. The bottom line is that paltry budgets continue to plague information security efforts.
- Moving target — Organizations are struggling to close the cybersecurity skills gap. This leaves existing professionals on the hook to do more with less while also finding ways to stay ahead of new IT threats.
The takeaway here is that cybersecurity employees have the right mindset but are often missing the material components required to effectively manage security expectations.
The Organizational Imperative
Evolving threats, employee stress and emerging expectations demand a fundamental shift, one that prioritizes companywide security culture over the siloed approaches of traditional IT infrastructure. Embracing this organizational imperative requires adaptation across three key areas.
Corporate end users — from frontline staff to managers and stakeholders — are the primary consumers of IT services and solutions. As a result, without intraorganizational support in the form of security-first culture, cybersecurity professionals face a losing battle. According to IBM security experts, making the shift requires “muscle memory” — security processes must be “required, enforceable and, above all, easily incorporated into the daily life of your users.”
Perceptive shifts are also critical; creating a security-first culture that recognizes the role of security spending and solutions in revenue generation rather than cost mitigation.
Historically, organizations have been loathe to share security data, especially when it points to evidence of compromise or network vulnerability. The problem with this is that malicious actors aren’t shy about sharing attack data, putting cybersecurity in the untenable position of facing superior numbers armed with better intelligence. As the Federal News Network noted, this is starting to change — for example, the DoD-backed Security Coordination Center (SCC) focuses on threat sharing and mitigation to reduce attack impact.
Private companies must do the same. Interorganizational cooperation is no longer optional in the fight against opportunistic cybercriminals.
To reduce IT stress and improve overall defense, enterprises must think outside the box.
When it comes to bridging the skills gap, for example, companies are well-served with a new collar approach — leveraging new or existing staff who may not possess traditional college degrees but have the needed technical skills, aptitudes or passion for cybersecurity. This allows companies to fill critical positions without having to wait for the “perfect” candidate.
Another option? Managed security services designed to strengthen information security defenses and lower total costs. The right third-party partner can help deliver services, such as custom-built firewalls, intelligent log management and cloud-based intrusion detection, allowing cybersecurity specialists to focus on mission-critical initiatives.
Emerging solutions such as artificial intelligence and intelligent orchestration also offer key benefits. By automating essential, data-driven services, such as attack response, data breach notification and real-time productivity measurement, C-suites gain critical transparency while IT professionals get improved access to the information they need, when they need it.
Security Culture Must Adapt
Cybersecurity professionals are stressed, and with good reason: the stakes are higher than ever. They’re tasked with impressing C-suites, evading threats and improving infrastructure, but are hampered by time limitations, budget constraints and personnel gaps.
Bolstering IT and boosting the bottom line demands a critical shift. Security culture must adapt across intraorganizational, interorganizational and metaorganizational lines to empower shared responsibility, encourage honest collaboration and embrace new information security approaches.