Why the cyber security skills gap is a boardroom issue
The shortage of IT professionals in the UK has been well documented. Several years ago, a study commissioned by the Royal Academy of Engineering predicted that the shortage would be felt for years, as the UK was simply not producing enough STEM graduates to meet industry needs. A more recent analysis by Tech Partnership seems to bear that out, showing that that there were, on average, 163,000 vacancies for digital specialists advertised across the UK during each quarter of 2015. The shortage of professionals who specialise in security is even more dire.
This shortage, once the purview of human resources departments, has been escalated to the boardroom due to the critical need for cyber security professionals with the skills to protect their organisations against attacks that are increasing in both frequency and sophistication.
The average cost of an online security breach for UK businesses is between £1.46 and £3.14 million. Worse still, in 2015 the industry reported a significant increase in the number of breaches in both large and small organisations at 90 and 74 per cent respectively. One suggestion is that this high increase in security breaches is due to businesses becoming more aware and effective in detecting and reporting cyber crimes. If that’s the case, it’s good news, but it doesn’t explain why organisations are still under threat. And it leaves the most important question unanswered: what can these organisations do to protect themselves? Cyber security is the biggest challenge for the UK right now and it’s spreading rapidly across many industries — not just in IT. To tackle the issue head on, we must first understand the causes behind it.
The tidal wave of cyber threats
The data explosion has resulted in huge amounts of Internet traffic that flows through corporate networks at rapid speeds. Today, up to 80 per cent of a company’s data traffic is Internet-related. Lurking inside that traffic is malware and spyware waiting for the right moment to strike and infiltrate corporate networks. Our growing reliance on public and on-premises Wi-Fi is creating opportunities for criminals to conduct illegal activities right in front of us – yet these activities are often hidden in blind spots.
As Internet traffic ebbs and flows, corporate users are also downloading unauthorised mobile and cloud-based applications, and uploading sensitive data onto public cloud storage systems like Dropbox and Box. This activity is known as shadow IT, and many employees are unware of its dangers. As such, they are unintentionally compromising their corporate security – and along with it the company’s reputation.
The CISO and IT staffs have had no choice but to firefight in these situations. Large enterprises have established IT security teams that grow with business needs, and they often have multiple point products implemented in siloes. These isolated systems create significant amounts of data for analysis, which is an ineffective and time-intensive way of monitoring potential threats. For small and medium businesses, the challenge escalates in other ways. Many cannot afford to hire their own security specialists, as such professionals are scarce and command a high price. Yet, SMEs experience the same level of cyber-attacks as any large enterprises.
Blocking the attack is key, but organisations also need to be agile enough to be able to react to imminent threats quickly and effectively. The adoption of security-as-a-service solutions solves these problems for both large and small organisations. A security service removes the need for hiring a dedicated team of security specialists to maintain hardware and deal with uptime/availability. As an example, the Zscaler Internet Security Platform provides up-to-date threat feeds and adds scalable, new functionalities, like sandboxing, to detect new threats as they emerge.
Running a security platform in the cloud offers the added advantage of 24/7 coverage protection for roaming users. It also provides better integration with SIEM systems to automate the identification of new threats and infected devices. As a result, security specialists can focus more time on protecting the architecture of the internal network, the data centres, and inbound firewalls. They will also have a more effective way of identifying infected devices, ensuring that procedures are in place to quickly disinfect those devices, and ensuring business users maintain a high level of productivity.
The skills shortage in cyber security means that IT and business leaders need to outsource security protection and defence mechanisms. As applications move outside traditional data centres into the cloud, the smart approach is to deploy security measures that also run on the cloud. One of the immediate benefits is 24/7 monitoring, which provides the CISO and IT teams with better visibility into unusual spikes in traffic and allows them to anticipate possible cyber attacks before they hit the network.