In light of evolving cyber crime, hacktivism and insider threats, the Security for Business Innovation Council (SBIC) – an independent group of security experts from Global 1000 enterprises – has released a report on what it takes for an organisation to create an elite security team (PDF).
Made public on Monday, this first of three reports outlines in seven steps what it takes to improve an organisation's cyber defence squad, beginning with cross-training of employees and simultaneous interaction between business and security efforts.
“Process optimisation and process management doesn't exist in the IT realm,” Eddie Schwartz, CISO with computer and network security company RSA, told SCMagazine.com on Friday.
Schwartz said that IT people need to abandon the top-down approach of going straight to the executive level and, instead, engage all levels of an organisation, including upper management, middle management and even the lower levels, such as training programs.
“Part of building a team is leveraging abilities throughout the organisation and finding people with fine-tuned skills who can bring expertise into the business,” Schwartz said.
When asked what the incentive is for people to take on additional responsibilities and if employees would be receptive to cross-training, Schwartz pointed to an availability of positions in the IT realm and higher salaries as encouraging factors.
“It's a cool field,” Schwartz said. “I'm protecting the enterprise, it's exciting, there's no mundane quality to it. I think that resonates with people.”
The SBIC recommendations also encourage businesses to have their primary IT security teams focus on cyber risk intelligence and security data analytics and management, while delegating everyday operations to other experts within the operation or established third-party service providers.
“The old-school mentality is that you have to do it all yourself, but the truth is that many service providers do a great job and [can even] do it better,” said Schwartz.
Serious cyber crimes date back as early as a decade ago, so what has been the holdup regarding implementation of these strategies? Allocation of budgets and other organisational priorities have long been a part of the problem, according to Schwartz.
“IT budgets are lower,” he said. “In many industries, IT is now 10 to 15 per cent of the budget. As you see those budget increases, a percentage of that is human support of technology, of analytics and of compliance. You have to staff up to meet that need.”
Another component is the lack of adequately educated technical people who are up to date with a security field that is growing increasingly complex.
Looking to the future, the experts with SBIC are seeing this global shortage of particularly good IT people and Schwartz suggested a long-term solution that involves working with universities and programs to encourage people to choose cyber security as an industry.
“A decade ago, a small handful of universities had [cyber security] undergraduate or graduate programs,” said Schwartz. “Now there are 40 or 50 that have it – and more that have courses, at least. But it'll take a number of years before we get to where we need to be as far as education and the IT workplace [is concerned].”