According to research from Gartner, there are more than 3200 cybersecurity vendors. And the list is constantly changing through new launches, acquisitions, and the inevitable failure of many of these VC funded pipe dreams. For a business navigating the cybersecurity vendor landscape alongside the millions of application combinations that are commonly deployed – nobody can really know everything. And no cybersecurity platform can ever deliver 100% protection - no matter what vendors claim!
As a techie working in the cyber security space for the last 30 years, the growth of cyber security products and services has been breathtaking. The rush of new products in the last few years has been an understandable response to a more complex threat landscape, but this goldrush mentality of vendors has also been fuelled by the potential value offered by the criticality of cyber security. The spectre of hackers at the gates will unlock previously closed budgets – and there are now hundreds of vendors for every possible branch of cyber protection.
Yet technology at least from the vantage point of actively working with client’s day-in, day-out is often the least of their worries. It is, as it has always been, time and expertise. And as ever, not enough of both.
Time and talent
When it comes to time, the main challenge as any CTO will know is that there is always something that needs to be done. Or a project deadline fast approaching. Even with a small team, this shouldn’t be a problem if the planning has been realistic. However, cyber security can put a spanner in the wheels without warning. The discovery of a major vulnerability that requires immediate patching. Or a security alert from a firewall or another system that prompts an incident response. Which even if it’s a false alarm will pull people off ongoing tasks. To be fair, modern cybersecurity platforms have helped to automate many time-consuming tasks but there still needs to be a driver at the wheel to ensure that these systems are delivering as expected.
Expertise is also a thorny problem. And one that is not going away anytime soon. ISC2 estimates that even with 4.7 million employed within the field – we still have a 3.4 million security professionals’ shortfall. But this is a broad swathe of skill sets. And often, business will just need a specific set of skills for a short period of time or on demand. The summer holidays are a great example. For smaller
organisations where the CTO wears the CISO crown as well, having the expert away can leave a company vulnerable to threats, and potentially unable to react quickly if the worse case scenario of a breach takes place.
So what’s the solution? The truthful answer is that there is no right answer that fits every organisation. How long is a piece of string? However, there are some ways of operating that can help organisation better manage cyber security at a strategic level.
Build partnerships
A whole swathe of the cyber security MSP community continually bangs the drum for wholesale outsourcing of cyber security. This is an option, but it does have some limitations. Firstly, not having any IT and infosec skills internally makes it difficult to understand if your outsourcer is doing what they say. And also as a sanity check for quality of the service delivered. Instead, a partnership approach where you maintain at least one senior inhouse expert that works with a trusted advisor that understands your business ebb and flow is a better option. This more flexible approach allows you to skill up based on planned activities, like staff on holiday or major upgrade, and provides an independent set of eyes across the estate.
Include your team
Accept that you can’t know everything about each area of cyber security and seek counsel when you need it. However, get your teams involved in these projects so that you can gain some knowledge transfer. Retaining your cyber security staff is made easier if you can help them to gain more knowledge and progress as individuals. A techie that is stuck doing the same boring and repetitive tasks is probably more likely to leave than one who knows that there are cool projects on the horizon where they can learn from other experienced peers.
Spring cleaning
At least once a year, do an audit. Whether you get this through a third party or run it internally, I can’t stress how valuable it is. And I guarantee you that there will be few things within your environment that will come as a surprise. IT environments change quickly and technology, in general, is much easier to deploy at an individual or departmental level without assistance from IT.
If you have your infrastructure locked-down through allowlists and blocklists and strong policy enforcement, then the audit might only uncover a few unpatched vulnerabilities but sometimes it can
be a real eyeopener. From any audit, set up a priority list of remediation and a timeframe for carrying out these tasks. The unpatched VPN equipment that led to the breach that fatally destroyed Travelex as a business was known about for months and simply ignored. Learn from their mistakes!
And the final point is to be inquisitive. Ask your cyber security advisor for guidance and see what they think is a good solution. You may disagree or not have the budget but keep testing the boundaries of best practice and consider new ways of solving entrenched problems. Sometimes, it’s not a shiny new product but a change of processes that can make all the difference.