A lot has been said about the impact the InfoSec skills shortage is having on organisations' ability to protect themselves from cyber-attacks. Some businesses are resorting to renting candidates while they recruit for longer-term positions, and universities are beginning to accredit cyber-security courses into computing degrees as a core credential. By implementing cyber-security to all computing courses, we could see 20,000 more computing graduates leaving university with the skills they need to protect organisations against cyber-attacks and data breaches.
Whilst there is a clear need to address the skills shortage, perhaps we're looking at the wrong side of the coin? With antivirus software proclaimed long dead, security vendors have had to shift their strategies to enable businesses to take a proactive stance against cyber-crime.
Moving away from a purely reactive response to data breaches and attacks is possible only when businesses improve the visibility they have across their IT environment. Simply put, it is basic security hygiene. Contrary to popular belief, attacker methodologies are not getting more sophisticated. Moreover, it is the gaps left open through inadequate software patching and not knowing how many devices are on your network, or where your network ends, that are leading to an increased frequency of attacks. Security and IT operations teams must be equipped in their software to manage their endpoints with unprecedented speed, scale and simplicity for breaches to have minimum impact. Hacks are no longer a question of if, but when.
The majority of attacks we're seeing in the headlines today are not especially advanced; instead attacks are the fault of the traditional IT models. These models are used by 99 percent of the industry and work from piles of outdated software, held together by patches and ad hoc solutions. Legacy systems such as these mean it can take up to two weeks to investigate hacks, as they rely on old data sets. With the correct tools IT professionals will be able to spot problems they didn't even know existed. These same tools will be able to provide instant visibility across endpoints, enabling breaches to be dealt with immediately and when it matters, as opposed to being brought to attention after the damage has been done.
Make it simple, make it human
Though the broader debate calls for specialist roles to fill the jobs market gap, cyber-security is in fact a board level issue. A CISO should be able to explain to the board in layman's terms – presenting real-time data into what has happened in a timely manner. Essentially, it is about security software working at scale and enabling everyone and anyone in an organisation to be able to make sense of the chaos. Companies are struggling to know what is actually happening on their networks. More often than not it is the simplest security questions, which are the hardest to answer, such as, ‘How many computers are on this network?' Software working with outdated information, days or weeks old, makes it impossible for these questions to be answered truthfully. Large companies are not being given the visibility to see everything, which happens on their networks. These blind spots make them vulnerable and susceptible to outside attacks.
Security needs to be tackled by every person involved in a business; from an IT manager, or a CTO through to the board. To allow this, we need to see more developed security software, which has the ability to process data and anomalies fast enough so that multiple people can quickly tap into and manage networks' cyber-hygiene. Everyone in the business needs to be trained to know what questions they should be asking. Asking these questions regularly is not dissimilar to having regular health checks with your doctor. By undergoing a simple procedure and asking the right questions, this can save you in the long run and alert you to anomalies as and when they appear.
The three rules
The cyber-security crisis, therefore, is not a question of skills shortages, but is more to do with organisations not having the right tools. Legacy technologies such as antivirus or firewall cannot offer businesses the visibility they require. Technology, which can offer scale, speed and simplicity needs to be adopted and, importantly, the benefits need to be understood by the board so that time and education is a dedicated part of staff training. While we can throw our arms up in despair at the skills shortage, there are three quick rules to get the basics right and exact a safer online environment: Keep it simple, keep it human, make it fast.
Contributed by Richard Olver, VP of EMEA, Tanium