It should come as no surprise to learn that IT managers feel pressured to purchase new cybersecurity products even if they don’t have the skills to implement the technology properly.
The 2016 Security Pressures Report (commissioned by security and compliance vendor Trustwave Inc.) found that the top three items on the 2016 “wish list” of respondents were additional budget (33%), more security expertise/skilled employees (20%) and fewer complex technologies (15%).
That same survey found that there is much more pressure at the board level on IT security professionals than there ever has been in the past as Cybersecurity has clearly shifted from being what was formerly considered an IT issue to become now a board level business issue.
It turns out that 4 out of every 10 respondents claimed to feel as much pressure before and after a board meeting as they do during a breach. Potentially related to the increased pressure from and involvement of the board in IT decisions was the finding that 3 out of 4 respondents face pressure to purchase cybersecurity products containing the latest features, despite knowing that they lack “the adequate resources to properly adopt, deploy and use those products.”
There is a clear mismatch between what IT is reporting to the board and what the board does with this information. The indication is that many board members don’t fully understand all of the issues involved in events like data breaches, and are making “board-like” decisions based on the ‘Do Something Disease’ which manifests in symptoms like sudden panic and un-attributable fear.
Combined with the belief that the newest technology will solve their perceived problems, this disease is exacerbated by a failure to understand that most IT departments are not properly using the technology they already have, nor do they have the skills and resources to implement more.
In previous Security Pressures Reports, purchases of cybersecurity products that were never implemented had been gradually increasing and the current report ratifies that trend. The “Shelfware” problem appears to be getting worse based on this new research.
The conclusion is that IT/security teams needs to implement the appropriate processes to deal with security violations and what to do with the information they already have, not necessarily throw the latest and greatest technology solution at the problem.
New cybersecurity products aren’t the only operational pressure hitting IT pros. The top operational pressure was found to be advanced security threats (26%), followed by the adoption of emerging technologies (22%) and the shortage of cybersecurity expertise (14%).
The report found that the number one adversary is still the malicious outsider threat, but the next adversary is the ability to respond to those threats. The report claims that the more advanced the security threats become, the more sophisticated the technologies and solutions must become to defend against the threats, but the ability to apply that technology may be non-existent.
It seems that the majority of respondents claimed the pressures of adopting emerging technologies was related to adopting Cloud or IoT technologies which are being forced into implementation well before proper security protocols or skills are in place to support them.
These tend to be perceived as business-enablers and revenue-generating, and so there’s always more pressure to grow revenue faster and push these technologies out the door before they’re actually confirmed to be secure. The board has a conflicting set of priorities and a resulting disconnect between aggression and reality. It is up to IT/Security teams to educate and inform so better decisions can be made.
Many decision-makers are much more reactive than proactive and are willing to spend lots of money to remediate problems after a problem occurs. Which so far hasn’t resulted in too many massive calamities, but the day is still young.
Hammering home the consequences of poor security practices and solutions through numerous case studies can be helpful in driving home the idea that cybersecurity must become the top priority and personalizing the experiences of others will be more effective in moving board members toward a practical outcome-based understanding of security breaches versus some vague theoretical exercise.
The survey suggests that IT professionals believe hiring more skilled workers is a potential solution to some of the cybersecurity issues, because almost 9 in 10 said they would want to at least double the size of their security staff, but unfortunately, the shortage of security expertise also rose from the eighth-most important operational pressure last year to the third-most important in the current survey.
The current skills gap is something that can’t be overcome easily. I have suggested in prior posts that we lower the bar and stop searching for Unicorns that don’t exist. We need to hire competent network engineers or elevate our existing staff and certify them to the tasks that are actually involved with day-to-day InfoSec. We could do a much better job of assessing the true requirements and matching those to available resources than I think we are presently doing. Of course, using a managed security service provider and letting them worry about addressing the skills gap is another alternative.
An MSSP is not a short-term fix for a staff shortage but part of a longer term security strategy. Because a managed services provider will see attack trends and broader scale patterns of attacks and have appropriate tools to monitor activity 24×7, they are able to take advantage of the one-to-many model.
This isn’t a commercial for MSSPs, but that model also helps with threat intelligence. The ability to monitor tens of millions of disparate events is going to provide much better insight into security threats and the security landscape than a company could do on its own. In addition to that, the critical mass of the global provider enables around-the-clock security monitoring, so you can get more cost-effective security resources from around the globe rather than doing it on a local basis.
Either way, we are seeing evidence of a growing problem with an increasing number of cybersecurity point solutions and the flat lining in the investment community within the cybersecurity product space is additional testament to the problem. We have way too many security solutions and way too few resources to evaluate, qualify, vett and assess let alone implement the good ones.
We also have the problem of board members skimming the latest inflight magazine article on Trustenex’s new security software solving all of the cybersecurity problems in the frozen entrée segment of the food industry. It must be good, right?