2022 will be the year when organisations finally let go of the long-held tradition of being based in an office, working set hours, and measuring the volume of work verses the value. As we learn to live with these changes for the better, the adjustments to working patterns that were introduced in a hurry will be refined and embedded. Organisations will seek to establish and nurture a flexible, work-from-anywhere culture that empowers employee engagement and productivity through a raft of digitally enabled collaboration and data-sharing tools. As the lifeblood of the business, data will be more disparate, mobile, and accessible than ever, which has enormous implications for the security teams tasked with protecting this environment. Meanwhile, a persistent cyber security talent shortage will impact the decision-making process for C-Suite executives who must set strategic priorities for data management and breach mitigation with limited resources. So how do we expect the year to unfold?
The threat landscape: diversifying threats and multiple attack vectors require layered security response
The new business ecosystem is emerging against a backdrop of more diverse, persistent, and disruptive threats to data and operations. These threats target every layer of the organisation – from software systems and infrastructure to employees and the supply chain.
Well-resourced, highly opportunistic adversaries are taking advantage of the newly distributed enterprise and ramping up campaigns on all fronts, from business email compromise and Ransomware-as-a-Service, to sophisticated multi-stage attacks originating in the supply chain. Until there is a coordinated, international effort to combat cyber crime and hold those parties that commit these acts accountable, we expect to see these lucrative attack types continue to escalate in frequency and severity.
Tackling this diversity and frequency of threats requires a layered approach that follows and protects data throughout the business and beyond, with supply chain threat and third-party risk rising up the priority list as the scale of exposure to supplier vulnerabilities becomes clearer.
In terms of remote working, we hope to see a greater emphasis on good security fundamentals as opposed to adding potentially unnecessary tools to the security stack. Establishing strong identity management (MFA, etc.), patch management, logging, and right-sized permissions will be addressed more.
Battling security threats in UK retail, during the pingdemic and beyond
Internal risks: the strategic security project backlog remains and talent is scarce
External threats are not the only problem. The disruption of the past 18 months has seen many organisations realise that their strategic security posture was behind the curve when the request for remote work became a requirement. For example, research conducted during the summer of 2020 found that the biggest threat noted by security departments was the inability to implement multi-factor authentication to facilitate secure remote worker access, something that should have been in place already. However, with resources stretched to breaking point by the immediate demands of the almost exclusively remote workforce, many organisations had to leave strategic security projects on the back burner.
Now, as they urgently try to catch up, security teams are also facing an industry-wide shortage of talent. The latest data from the 2021 (ISC)2 Cybersecurity Workforce Study estimates that an additional 700,000 professionals have joined the cyber security sector, but that the gap between the number of additional professionals needed to adequately defend organisations and the number currently available stands at 2.7 million. This is clearly a huge gulf between the people available and the quantity that are needed.
It’s not just about the quantity either. With the industry moving as fast as it is, it’s often hard to precisely define the exact skills teams require. Additionally, the stresses of the pandemic have prompted employees across all industries to re-evaluate their relationship with work and the cyber security sector is as susceptible as any other with people deciding to retire early, seek part-time employment or choose another path entirely.
For C-Suite leaders this creates a thorny problem. How to meet their strategic security ambitions with limited resources and without putting unacceptable pressure on their teams?
Automate to accelerate
The answer is two-pronged. First, automation will be the watchword and a high priority, as essential groundwork to ensure new-shape businesses function effectively and securely. By deploying automation into the security mix, businesses can lift the burden of repetitive, mundane tasks from skilled employees and instead allow them to flex their talent in more interesting, higher value areas.
This should help employee retention as well as eliminating human errors arising from boredom or excessive alert volumes. Automation will boost productivity and become a key investment in the battle against cyber adversaries; it will also see Security Orchestration Automation and Response (SOAR) tools reach the next level of efficiency and intelligent application. Organisations that move fast on this will find themselves in a stronger competitive position, able to accelerate projects without having to recruit scarce resources.
Mind the skills gap: building a workforce for the digital economy
Taking the long view on cyber skills
The second driver must be longer term. The needle is slowly moving in the right direction on cyber security recruitment, with (ISC)2 reporting an additional 700,000 people joining the profession in the past year, but with 2.7 million seats still to fill we need a step change in how we build a pipeline of security professionals. Dedicated higher education routes into cyber security remain rare, and the pool of computer science graduates is not deep – and is in high demand. We need to start being creative about recruiting specialists from a more diverse set of disciplines into security and growing our own talent pipelines. The UK’s National Cyber Security Centre is currently undertaking a raft of activities aimed at recruiting a more diverse talent pool, introducing young people to the concepts and dynamics of cybersecurity, and this is something we should all be considering. As part of this we need to be promoting the benefits, stability, job satisfaction and opportunities for progression that a career in cybersecurity offers – it is a high demand area and that isn’t likely to change any time soon.
Organisations need to think about retention too. The rise of remote working has opened up a more global market, allowing high performers to look beyond their local area. Therefore, emphasis on training and development must be a priority, not just to keep pace with a rapidly evolving industry but also to offer a challenging and rewarding career.
By creating the right environment – where the tasks best suited to bots are automated and where human talent is valued for its skills and ingenuity – we can play our part in building and nurturing the next generation of cyber security talent ready to protect and defend the new, ultra-connected, data-driven business.
2022 will be yet another busy year in cyber, and it’s the nature of the business that we often focus on responding to the immediate threat in front of us, but I’d urge all my peers in the industry to devote some time to the longer term and how we can draw more talent into this unique and essential sector.
Written by Chris Reffkin, CISO of HelpSystems