Why CISOs must look beyond cyber security community troubles
Not every CISO’s pain points are the same, as each business has a unique IT environment and therefore unique cyber security requirements.
The cyber security industry is paradoxically finding it difficult to sell its solutions and services to public and private enterprises at a time when cyber security is one of the most significant events on the radar.
There are reasons.
Chief information security officers (CISOs) should never have to deal with cold calls, one vendor trash-talking another, demonstrations that are so complex they last hours and need a whole team of engineers to deliver, salespeople pushing to prematurely close so they can meet target, nor service providers that punt the value proposition without once asking the CISO their security pains.
Not every CISO’s pain points are the same. In fact, beyond the inch-deep similarities, each and every business has a unique IT environment and therefore, regardless even of business requirements, cannot help but have unique cyber security requirements.
Service providers therefore must be able to provide a breadth of services that encompass the traditional as well as the advanced. And they must include the depth of skill required to deal with the complexity of business challenges related to cyber security today.
Skills themselves are, in fact, one of the key challenges. The Chartered Institute of Information Security’s 2019 report on the global industry shows 45% of respondents to its survey say lack of resources is their biggest issue.
CIOs and CISOs are far from being the only ones who sometimes find themselves in a little deep.
The greatest skills in demand in 2019 are DevSecOps, Internet of things (IOT) security, vulnerability assessment, customer service, artificial intelligence and machine learning, intrusion detection and penetration testing, cloud security, and malware protection.
Let’s be clear, that list demonstrates CISOs need security solutions and services. They also want them. That desire is in fact fuelled by the same reasons why there is a dearth of skills in the industry.
Cyber security technology is changing rapidly, because the threat landscape is itself changing so fast, thanks to widespread mobile technologies, IOT, cloud computing, and growing, hybrid and cloud data centres.
Nobody is immune to security threats, not even someone who disconnects their device, rips out the network card and the Bluetooth chip, the power cable, and the CCTV camera in the corner of the office. You can thank drones, audio lasers, and the bog-standard smartphone camera for that.
A lot of people are also dealing with the challenge that they’ve been pushed into positions they’re just not equipped to deal with. The miserable shortage of skills is once more the culprit.
Businesses need someone in the role. They have to have someone steering the ship and someone with at least partial skills is better than nobody. But nobody wants to be in the same position as an international business that was forced to pay a $700 million settlement due to a data breach. That company’s CIO reportedly had a degree in music and knew little about cyber security. He also did not have resources that could be relied upon.
CIOs and CISOs are far from being the only ones who sometimes find themselves in a little deep. Systems administrators, general business employees and operational people – who play a significant role in securing an organisation’s systems – often find themselves in over their heads, often without realising it.
The Kaspersky State of Industrial Cyber Security 2019 report says employee errors or unintentional actions caused 52% of incidents that affect operational technology and industrial control systems, for example.
It’s not surprising the World Wide Worx report sponsored by Trend Micro and VMware, State of Enterprise Security in South Africa in 2019, says South African organisations are vulnerable, struggle to retain skills, and struggle to find the budgets to effectively deal with cyber security.
Arthur Goldstuck, CEO of World Wide Worx, says local businesses most want to deal with regulatory concerns when it comes to cyber security. Of secondary concern, and all equally so, are protecting the business against cyber attacks, reducing costs and growing internationally. And that mirrors what I see in the market.
Organisations, particularly those in the financial sector but many others besides, have a dire need for skills and resources to counter these challenges. The dearth of cyber security skills has raised the need for professional services based on reputable experience from across the globe and across disciplines.
Most businesses want to take care of the now more traditional cyber security threats in this fourth industrial revolution era, even if they have precious few resources to allocate to the challenge. But there are newer threats, too, ones such as drones that are also a factor for law enforcement, public organisations and private enterprise.
Those require an even greater degree of skill and experience that businesses typically cannot afford to keep even if they could attract the talent.
Vernon Fryer is chief information security officer and head of CDOC at NEC XON.
He has nearly 50 years of experience in the cyber security industry. He has served at IBM, SAPS, Interpol Southern Africa, and been SA’s national head of the Computer Crime Unit. He lives and breathes cyber security.
Fryer has investigated computer fraud, helped track assets in liquidation, testified in intellectual property disputes, conducted forensic investigations and numerous security audits for regulatory requirements.
He was on the International Computer Crime Work Group and in 2008 was included in the Who’s Who in the World.Today, Fryer develops business solutions that mitigate unified cyber and physical security threats, and operates Africa’s foremost cyber security managed service. He also consults to the continent’s most prominent defence, government, financial and mineral resources operations, as well as businesses in several other sectors.