CISO's Corner: The Four Best Cybersecurity Investments You Can Make During the Cyber Talent Shortage

The need for strong cybersecurity has reached critical mass. Seventy-six percent of security leaders have reported an increase in cyber-attacks over the past year -- accelerated by the COVID-19 pandemic and a rapid shift from an in-office to a remote workforce and on-premises to cloud infrastructure.

There’s also been a rise in nation-state tensions and safe harbored advanced adversaries. The latest ransomware attacks by well-funded hacker groups against high-value companies and critical infrastructure have been drawing mainstream media attention seemingly every week. Specifically, the attacks against SolarWinds, JBS and Colonial Pipeline showed just how fragile our cybersecurity posture is in critical areas and how much we need more cyber resources.

Talent Is In Short Supply

It’s no secret. This surge in malicious cyber activity comes as the industry, and the U.S. in particular struggles to fill critical cyber roles. Some 359,000 American cybersecurity jobs remain unfilled, according to a 2020 survey by (ISC)2.

As governments, cyber leaders, and the education sector rally together to drive more interest in cyber roles through awareness campaigns, evangelism, recruiting, and job matching initiatives, organizations need guidance on maximizing the talent they do have and how to combat the rising tide of cyber threats.

Who Needs To Hear This

All organizations are feeling the pressure of the cyber talent shortage. But organizations in highly regulated, highly funded industries can spend millions on cybersecurity and can attract top talent much easier. Bank of America CEO Brian Moynihan says the company spends over $1 billion per year on cybersecurity.

Many SMBs, enterprises and even governments agencies aren’t in as fortunate of a position, and many are strapped for budget and have numerous open critical cyber roles. This guide is intended for those organizations and their leaders that understand that cybersecurity is paramount but need to maximize the investments they can make in talent, technologies and services.

1. Invest in the cyber expertise you do have. Automation isn’t going to save the world. It needs highly trained and capable people to operate it. A Ferrari can still crash racing on the simplest track if an inexperienced driver is behind the wheel trying to go fast. The same goes for top-tier cybersecurity tools. Cultivating a culture of performance and excellence is essential within your security team. Feedback and training need to be ongoing, not just once a year. Providing your cyber experts with the resources they need to do their job to the best of their ability should be a top priority. Do all you can to keep them engaged, hungry to defend your company, and build their knowledge base.
2. Automate and outsource if needed. No company can be cyber successful without automation. Alert fatigue and false positives are real problems. AI and machine learning are powerful tools that deserve much consideration. That said, you must implement the right kind of automation. Automation needs to be selected based on the capabilities of the security team that you have access to and your environment complexity. If you are short-staffed or don’t have true cyber expertise in-house to handle complexities like cloud infrastructure migrations, solution deployments, or security operation center (SOC) integrations -- consider outsourcing your security to a trusted managed security services provider. Making sure you have the right expertise on your team, whether in-house or third-party, is going to make or break your cyber success. Having a trusted third-party partner in place can save you from making costly, unnecessary cyber investments or potentially reputation-damaging cyber incidents.
3. Invest in your employees and executives and their own cyber awareness and training. A recent study revealed that nine in 10 (88%) data breach incidents at organizations are caused by human mistakes. Employee and executive cybersecurity training have never been more paramount now that we are in a permanent hybrid workforce world. Employees are naturally more distracted as they move back and forth between the office and their home for work, opening them up for social engineering and phishing attacks, which account for 94 percent of malware delivery and 80 percent of all security incidents. Cyber training needs to be especially ramped up if you are a critical infrastructure organization or part of a priority supply chain – as you may be a highly desired target for hackers.
4. Invest in proactive vs. reactive security. The biggest mistake that we’ve seen recently is organizations staying stagnant in defensive cybersecurity strategies. This is a flawed and outdated approach to cybersecurity and can result in catastrophe. Your organization must be thinking proactive with programs like threat hunting, penetration testing, and managed network and endpoint monitoring to combat the new wave of advanced adversaries. If you’re not constantly looking and ‘hunting’, there’s no telling whether or when an adversary has compromised your systems.

Solving The Talent Shortage Together

The talent shortage is a massive challenge, but the cybersecurity industry resilient. With the revitalized interest in collaboration between the public and private sectors and recent Executive Orders on cybersecurity, we are well-positioned to work together and establish effective solutions to the cyber talent shortage. But while we are working together on solutions, organizations need to stay collaborative, vigilant and proactive to fight against this wave of new threats.