It’s well understood that the threat landscape continues to change – we see more and more sophisticated attack vectors emerging and the explosion of connected devices means there are more and more endpoints that need to be managed. In fact, the NTT Group Global Threat Intelligence Report 2016 highlighted that end users have become increasingly vulnerable and, given the rise of the “Internet of Things” and employees commonly having more than one connected device, the security challenge is growing. The same report also noted that 21 percent of vulnerabilities detected in client networks were more than three years old and more than five percent of them were over ten years old.
Some experts argue there is a lack of internal resource to keep up with the growing threats, meaning it’s no longer possible for many organisations to tackle all aspects of information security management in-house. Research has highlighted that, while budgets were available to hire more personnel, there’s an insufficient pool of suitable candidates with the relevant skills and industry experience.
So what are the options? Well, as always, one option is to “do nothing” and deal with an issue once it occurs. An obvious problem with this approach, however, is that it doesn’t allow for any measurable risk management planning and, as a result, potential impacts from breaches cannot be understood until it’s too late. Furthermore, if there are no skilled personnel to address the issues once they occur, the impacts felt from the problem could be compounded. Our recent Risk:Value report found that organisations now estimate that recovery from a breach can be upwards of $1m – and this does not reflect reputational damage to brand nor erosion of customer trust. Whilst there is an option to do nothing, it can quickly become a false economy and a significant business inhibitor for future commercial success.
At the other end of the scale, organisations may choose to fully build a cybersecurity practice in-house to support their business needs. The advantage of this approach is the direct control it affords the organisation. However, due to the independent nature of the approach, it is unlikely that the organisation will have full visibility of the latest threat information from around the globe as it occurs. Missing out on this contextual information may mean that trends are missed or responding to vulnerabilities could take longer to close. Additionally, a stand-alone cybersecurity practice or security operations facility carries with it a considerable cost to build and maintain – especially with a backdrop of skills shortages and subsequent rising costs. As such, this approach may be prohibitive for all but the largest organisations.
Another option is for organisations to focus their available resource to tackle the highest priority items – the trouble is that this is not always easy to set the right level of priority in isolation. One way to address this is to work with a trusted third party to help define a prioritised list of deliverables based on industry standards and best practice. This Risk Insight approach should enable a clear view of the organisation's security architecture, policies, procedures and documents, plus allow a deep dive study into the current overall risk posture. From here, a prioritised action plan, together with a detailed roadmap, can be built and implemented while taking into account the organisations budget, resource and overall business strategy.
Some organisations may decide to take a step further and completely outsource their cybersecurity needs to a trusted third party. This has three distinct advantages – the first is that the organisation does not need to invest in the skills nor have to manage an ongoing cybersecurity operation themselves. The second advantage is the financial overhead. As skills become more scarce, the demand (and cost) of those skills inevitably rises. Using the skills base of a dedicated cybersecurity partner means the organisation has access to the right skills to meet its operational cybersecurity needs without having to attract, retain and continually develop skilled personnel. The third advantage is the ability to benefit from the economies of scale associated with working with a partner who has vast visibility of threat data from around the world. A partner gaining threat intelligence from around the world and from various business verticals is likely to be not only reactive to threats, but be proactive in identifying and closing vulnerabilities. There are a growing number of dedicated managed security service providers to choose from – though it is important to remember that not all offer the same depth and breadth of expertise, so check exactly what they offer in advance.
The cybersecurity skills gap continues to widen and, until this is addressed through wider education, training and professional development, organisations need to think carefully about a future that relies on getting by with existing resources versus outsourcing some or all of their security operations to a trusted partner. Whatever approach is taken by organisations, it is one that must be taken quickly – the threat landscape is not standing still, and the implications associated with a cybersecurity breach are carrying ever greater consequences.