April 19, 2017
Rick Fink, rSolutions
The cybersecurity talent shortage is something that we repeatedly hear about and see firsthand in our consulting work. According to some sources, there are currently up to 200,000 unfilled security positions in the United States, and an estimated one million open positions globally. By 2019, experts say there could be 1.5 million unfilled cybersecurity jobs. We hear these things in reports from IBM, Symantec and Cisco, to name a few. But, even if you debate the exact number, we still can agree the shortage is real.
Indeed.com recently did a study on two years’ worth of relevant job posting data worldwide, in which Canada is reported. It becomes clear that demand is simply outpacing supply.
The risk in this shortfall in supply is that many companies are finding themselves performing work arounds to their IT security challenges. It’s a race to the basement, which increasingly erodes security teams’ footholds on defence and makes security posture proactivity more and more difficult to attain. In the meantime, the threat landscape is increasing in size as the market for stolen data increases and successful attackers propagate in-step.
In this environment of increasing threats to the organization, decreasing availability of skilled workers and inherent risks to performing workarounds with available resources, an honest question is: Which security tasks and roles can be outsourced?
Whether you are part of a major corporate enterprise or a public-sector organization, it’s hard to probe your own organization for vulnerabilities. Skill and smarts aside, our own connection to the environment may actually impede objective analysis of the security posture. It can be difficult to gain the necessary perspective from inside your organization. Kind of like creating, writing and scoring your own test, if you do well – you wonder, if you do poorly – you wonder.
A proper vulnerability assessment will be performed by a third party and look at network, application, email phishing and social engineering vulnerabilities. It will probe your infrastructure, help you understand your security posture as it currently exists and prioritize actions your team can carry out to make improvements.
These assessments typically follow a quarterly or annual reporting period timeframe and will provide even greater insight over time as Vulnerability Assessment findings are remedied and awareness is created of the things to look for within your unique environment. We regularly recommend annual or bi-annual reporting, as fixes to systems and training of staff can take time and a quarterly measurement may simply be too short a timeframe to see results from the findings of the previous quarter.
Security monitoring is big piece of IT Security success, but is often underachieved due to many factors. The first is the underlying premise of this article – simply too few people to do the jobs required. The other lies in the tools required to do the job. In IT Security there are tools for endpoint protection, email protection, firewalls, privilege access management, mobile device management, security policy management and often there are multiple and overlapping tools used for each piece of the security required for each. This requires security professionals to continually pivot in and out of different security products reporting windows to provide some nebulous understanding of their security posture.
Imagine that you have all these reports from all these different security products and your job is to reconcile and make sense of these reports, but also in real time that allows you understand your organization’s up-to-the-minute security posture. I hope that didn’t conjure an image of a happy and diligent worker, because that peaceful image would be a blatant lie in most cases. The complexity and enormity of the reporting alone doesn’t lend positively to having anything close to real-time understanding, and as we know, our computing environments rely on instantaneous connectivity.
Outsourcing to professionals who can set up your IT Security posture, with single pane of glass reporting is a serious consideration and is available and will provide the quick response times necessary. Now this doesn’t mean your security team will all get the day off, but it may afford them the time to trouble shoot, patch and actually get ahead of the curve in becoming more progressive than defensive.
Often times our application development teams and security teams don’t communicate well. Just because they all fall under the IT banner, don’t assume they share common objectives. Development teams are tasked with developing and updating new and existing software so it performs a business function. For the development team, they are pushed hard to meet taxing deadlines and to get these systems operational as soon as possible.
In their pursuit to economically meet deadlines, at times, they have been known to forklift in code from similar applications or code that performs a similar unique function they require the application to perform. Let’s face it, it’s standard practice. However, in this haste, we can actually open vulnerabilities and import existing vulnerabilities into new applications. It’s not the development team’s job to think about security and this prevailing attitude exists. On the flip side, imagine a developer that tested all their code for security compliance. It’s safe to assume the pace of their work would be somewhat like making an ejector seat reservation.
Your security team will likely lack the time and resources to effectively search for vulnerabilities in newly developed/updated apps. The development team is on a different track and in all likelihood will lack the capability to ensure security compliance. So, the onus falls where? This is where a dedicated security team focused on this one task can help.
Whether your security monitoring is outsourced or on-premises, once it finds an incident is where the rubber meets the road. Sure, you can prepare for the immediacy and importance of a security incident, knowing that your resources are positioned well to respond, knowing who will start the chain of notification for internal and external audiences (and know the new policy and legislative requirements too) and so on. Yes, in some cases your team might be well suited to respond. But, if you stand-up right now and walk out to your in/out board you’ll find one or two key resources away, on training, away from their desk, or in a meeting. That’s just life and the point is that we tend to think idealistically in resource allocation around a crisis, not that we’ll be ill-equipped in some way. And, if you’ve ever been in midst of a major security incident, even with a highly-prepared and competent team, the challenge is all about the readiness of the people who were there at the time. When we think about it, it’s a slim entry vector that will either allow us to descend safely back to earth or bounce off the atmosphere into oblivion, so establishing a good relationship with a IT Security firm that specializes in incident response and forensics is wise. Because it allows for a bit more wiggle room in that re-entry vector for better odds of a safe landing.
Training is becoming or will be a requirement of policy compliance, insurability requirements, or just plain-old sound business risk management. Security training takes a variety of forms and there are a few choices and a few more products on the market that provide out-of-the-box security awareness content for your organization’s customization. It is our assertion that targeted, meaningful training helps raise the profile of security threats to wider audience beyond the IT silo. When those messages are communicated outside of IT, everyone wins, as the challenges and threats to the organization get more attention. This can contribute positively to more than just awareness and contribute positively to the bottom line.
As we grapple with the widening threat landscape and an unnatural pace of evolution of threats on that landscape, we are met with fewer resources to choose from to keep us safe from harm. Outsourcing your security services to a fully or partially managed IT Security solution may just be the wise way to go, heck, soon enough, it may be the only way to go.