Recently, a colleague of mine attended the 2016 CISO Leadership Forum in San Francisco where he had the opportunity to listen to Steve Zalewski, Chief Security Architect for Levi Strauss & Co., discuss the state of his cybersecurity resources. “I don’t need more hammers,” Mr. Zalewski stated, “I need more people to swing them.” The current shortage of cybersecurity experts is creating a “perfect storm” that could spell data disaster for a lot of organizations, both public and private. While cyber threats are growing more sophisticated and dangerous, a recent Cisco report highlights that there are 1 million open cybersecurity positions globally. This is a significant talent gap that is not going to be remedied quickly and is already causing significant difficulties.
So where can a data security team find more people to swing the data security hammers?
The first step is to develop talent from within. There are a lot of IT professionals that have the skills to manage IT infrastructure, but that does not mean they have the skills to anticipate attacks or know how to probe and test their own networks for vulnerabilities. A degree of educational investment in the current IT staff will be required.
But what about the rest of the company? The IT department is just a small percentage of all the hands available that can help swing the hammer of data security. Why can’t the rest of the company help? Quite frankly, they need to. The bulk of the employee base are still considered the weakest link in data security. Weak passwords, accidental oversharing of information, use of personal cloud repositories, and other poor data security practices by staff remain a problem.
It is obvious that organizations need to change their culture to help prevent data leaks. Every employee needs to become more than just aware of cybersecurity – they need to become active in the protection of data. Changing cybersecurity culture and actually implementing real change across thousands of employees, dozens of departments, and an entire organization is a significant challenge.
At TITUS, we are helping organizations implement an enterprise platform to change their cyber security culture. Our solutions engage end users to consider or assign (classify) value to the information they are handling at the moment it is created, opened, saved, or shared. Based on the value of the data, TITUS can enforce policies that protect or restrict data movement. For example, if an email addressed to an external recipient contains an attachment meant only for internal eyes, TITUS will immediately block the email and inform the user of their error. TITUS can also notify a user when they open a particularly sensitive file of the sensitive nature of the information contained within, reminding them to be aware of how they treat that information.
And because TITUS tracks how users behave when handling sensitive files, it is possible for leadership to chart the progress of employees and measure behavioral change across the organization.
While improving the culture of data security is not a complete answer to the cybersecurity talent shortage, making the entire organization more responsible for data security will help your team be more efficient and effective. Data that is identified and classified is easier to protect.
As for strategies to help deal directly with the shortage of cybersecurity professionals, Intel Security just released a report outlining steps you can take to “hack” the skills shortage.