The root cause of cyber risks?
Budget allocation is a quick fix that many believe will solve their problems, but it can hurt in the long run
Sometimes the obvious isn’t so obvious. It seems that many businesses believe that they are protected because they have a security person, IT supports that person, they have firewalls, they get an annual penetration test, and they “fix” things the tests find. Sound about right?
In the recently published Part II of the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) “Through the Eyes of Cyber Security Professionals,” it was uncovered that many businesses are put at risk because they haven’t enough staff and the staff that they do have, aren’t getting the right training and support they need to protect the organization.
Let’s face it, protecting the organization goes beyond firewalls, the 10-plus-to-1 ratio of IT to security staff – it’s about making a solid investment, and I’m not talking about a budget line item. Budget allocation is the quick fix that many believe will solve their problems. However, as most of us learn, the quick-fix approach will be enough to “get you by”, but will hurt you in the long run.
A solid investment goes way beyond that. It’s about investing in your business through thoroughly understanding where all of the businesses risk lay. Whether it is in people, processes or the technology (or lack thereof). It’s a way of doing business.
When business leaders are faced with critical or costly problems within other parts of their business, many often turn to root-cause analysis to understand the underlying problems. Essentially, the ESG/ISSA research has done much of that for them. The research data suggests that businesses are not investing in their cybersecurity staff. Oh, they are investing in cybersecurity, by way of spending millions (collectively) on security technology, but not on their staff.
What good is it if your cybersecurity staff doesn’t have the right skills, such as fundamental program management, or struggling to keep up with the latest technology, or better yet, the time to do daily tasks while keeping an eye on the latest threats because they are expected to do multiple complex security functions?
All of this leads me to say that, for many businesses, they just don’t “get” cybersecurity, and that’s OK. However, it’s not OK for businesses to not take the time to learn. I do not expect them to “learn” cybersecurity, but rather to learn what are the business challenges faced by cybersecurity staff.
I challenge business leaders to take your cybersecurity staff member (or IT person responsible for cybersecurity) aside and ask: Do you have enough staff to get what needs to get done, do you have enough time to attend training, share with them the business goals and what needs to be protected from that perspective?
You’ll be surprised that by having this type of conversation will be the beginning of your making a solid investment. And it is better to make that investment now, rather than when it’s too late. It’s the same as spending a bunch of money but not seeing any results – which I’m sure is a familiar sentiment to many business leaders. Make sure your investment and spending is in the right places.
After all, cybersecurity is just another business issue.
Candy Alexander, a New Hampshire-based cybersecurity consultant and a member of the board of directors of the Information Systems Security Association, can be reached at email@example.com.