Do risks really stem from not investing in your cybersecurity staff?

Candy Alexander

I know – in reading the headline it seems obvious, doesn’t it. But sometimes the obvious isn’t so obvious. It seems that many businesses believe that they are protected because they have a security person, IT supports that person, they have firewalls, they get an annual penetration test, and they “fix” things the tests find. Sounds about right?

In the recently published Part II of the Enterprise Strategy Group (ESG) and the ISSA (Information Systems Security Association) “Through the Eyes of Cyber Security Professionals,” it was uncovered that many businesses are put at risk because they haven’t enough staff and the staff that they do have, aren’t getting the right training and support they need to protect the organization.

Let’s face it: protecting the organization goes beyond firewalls, the 10+ to 1 ratio of IT to security staff – it’s about making a solid investment, and I’m not talking about a budget line item. Budget allocation is the quick fix that many believe will solve their problems. However, like most of us learn, the quick fix approach will be enough to “get you by,” but will hurt you in the long run.

A solid investment goes way beyond that. It’s about investing in your business through thoroughly understanding where all of the businesses risk lay. Whether it is in people, processes or the technology (or lack thereof). It’s a way of doing business.

When business leaders are faced with critical or costly problems within other parts of the business, many often turn to root cause analysis to understand the underlying problems. Essentially, the ESG/ISSA research has done much that for them. The research data suggests that businesses are not investing in their cybersecurity staff. They are investing in cyber security, by way of spending millions (collectively) on security technology, but not on their staff.

What good is that if your cybersecurity staff doesn’t have the right skills, such as fundamental program management, or are struggling to keep up with the latest technology, or better yet – the time to do daily tasks while keeping an eye on the latest threats because they are expected to do multiple complex security functions.

All of this leads me to say that, many businesses just don’t “get” cybersecurity, and that’s OK. However, it’s not OK for businesses to not take the time to learn. I do not expect them to “learn” cybersecurity, but rather to learn what are the business challenges faced by cybersecurity staff.

I challenge business leaders to take your cybersecurity staff member (or IT person responsible for cyber security) aside and ask them: Do you have enough staff to get what needs to get done, do you have enough time to attend training, share with them the business goals and what needs to be protected from that perspective? You’ll be surprised that this type of conversation will be the beginning of your making a solid investment. And it is better to make that investment now, rather than when it’s too late. It’s the same as spending a bunch of money but not seeing any results – which I’m sure is a familiar sentiment to many business leaders. Make sure your investment and spending is in the right places.

After all, cybersecurity is just another business issue.

Candy Alexander is a New Hampshire-based cybersecurity consultant chief architect and chair of the Cyber Security Career Lifecycle for the Information Systems Security Association.