“In a time of uncertainty” has to be one of the most-used but least helpful phrases of the moment.
What certainly is true is that we’re looking for sure footing across so many aspects of business, to try to understand and prepare for everything from job security to shoring up revenue. At the centre of this are our security professionals: those whose actual job it is to keep a company’s data and technological assets safe and operating seamlessly for the rest of the workforce.
The internet is awash with talk of the biggest cybersecurity threats of 2020, the quickest routes to resilience, the cost of compliance penalties, data breaches, and the vital importance of ensuring that digital transformation investment does not stall. What is less clear is how we might create longer-lasting cultural value, and the human side of these practical steps. So, what are factors that are influencing this new security culture?
Phishing phase
When things don’t make sense, we’re inclined to look for information to help them make more sense. The temptation for employees, now remote working, to visit and sign up for new or untrusted information sources is high.
As one of the cheapest and most efficient methods of reaching targets at scale, it’s not surprising that phishing is one of the leading causes of data breaches, according to the Verizon 2019 DBIR. However, hackers are upping their game with a myriad of advanced techniques. Phishers are targeting numerous business SaaS applications — now accounting for 36% of all attacks – and are continuing to use personal information shared on numerous social media sites to create more authentic-looking, interpersonal messages.
As a result, these attacks are becoming increasingly difficult to identify – even for the most tech-savvy users. Educating staff is crucial – not just through communication – but through practical demonstrations of scams and offering simple and effective alert systems.
Leaving the back door open
As most of the workforce is at home, security teams are trying to equip them as best as possible to handle their own security remotely. What that means is people are more likely to make mistakes, handing over data to untrusted sources, not following update protocols, and racking up unpatched vulnerabilities.
Misconfigured cloud servers, multi cloud environments, insecure APIs all leave systems vulnerable to hackers. Also, employees are more likely to download insecure public software as a service (SaaS) tools without IT department approval. Not surprisingly, more than 1 in 5 organisations experience a cyber incident originating from an unauthorised IT resource. As part of the changing security culture, security must become everyone’s responsibility, requiring a shift in mindset to where we don’t take the vulnerabilities into our own homes, let alone the office.
Changing roles
Research released earlier in the pandemic indicated that 47% of security teams have found themselves reassigned to general IT tasks, and 90% are working remotely full-time. This, of course, is a worry as these teams become inevitably stretched across more responsibilities and the threat of an attack could be heightened. However, it could be a positive thing, helping evangelise cybersecurity across broader IT thinking, especially as investments like DevSecOps continue to break down siloed thinking.
Being able to deploy the right security talent to where it is needed, but with oversight into how they fit into the rest of the IT team, will be something to come out of the pandemic. Prioritising where these professionals are focused may also allow some tasks to be automated in the long term.
Cyber skills talent gap
What we don’t want to end up with is a talent gap, already a burgeoning issue in the industry. The growing cyber skills gap has left organisations lacking adequate security talent to perform necessary security functions to stay secure – and it has many CISOs concerned.
According to a recent Marlin Hawk report, two-thirds (66%) said they are experiencing talent shortfalls because candidates don’t have the right technical knowledge, lack experience or simply aren’t the right culture fit. It’s a problem that the majority of CISOs (62%) think will get worse over the next five years, but – like many changes happening right now – this could have just been accelerated by the recent crisis.
Now is not the time, therefore, to be diluting these roles, but rather using their reallocation to strengthen and help socialise the idea of security as a core company value.
Future CISO
The role of the CISO is to be more up and down the chain of command than ever. Managing upwards, CISOs are firmly ensconced on the decision-making board, and often it’s their job to close the gap between where they know they need to protect their businesses and where their peers believe investments should be made.
Managing the broader workforce and running a 24/7 operation requires the ability to identify a security incident amid a barrage of false positives and low-priority alerts. Looking to the future, CISOs will need to contend with an even more flexible workforce – forcing them to be more agile regarding the threat landscape than ever.
Despite the hardships and challenges faced by our businesses over the last few months, it has highlighted that security is not something that can be de-prioritised. This can be a perfect moment for our cybersecurity teams to help us make certain that security, stability and sure-footedness – in both the practical and the very human sense – are placed at the heart of shared company values.
Oliver Friedrichs
VP Security Products, Splunk