By Candy Alexander, CISSP CISM
I know, in reading the headline it seems obvious doesn’t it? But that’s just it. Sometimes the obvious isn’t so obvious. It seems that many businesses believe they are protected because they have a security person, IT supports that person, they have firewalls, they get an annual penetration test, and they “fix” things the test finds. Sounds about right?
In the recently published Part II of the Enterprise Strategy Group (ESG) and the ISSA (Information Systems Security Association) “Through the Eyes of Cyber Security Professionals” report, it was uncovered that many businesses put themselves at risk because they don’t have enough staff, and the staff they do have aren’t getting the right training and support they need to protect the organization.
Let’s face it, protecting the organization goes well beyond firewalls and the 10+ to 1 ratio of IT to Security staff. It’s about making a solid investment, and I’m not talking about a budget line item. Budget allocation is the quick fix that many believe will solve their problems. However, like most of us learn, the quick fix approach will deceptively seem to be enough to “get you by,” but it will hurt you in the long run.
A solid investment goes far beyond that. Producing long-term success involves investing in your business with a thorough understanding of where your business is exposed. It’s critical to determine whether risk is in people, processes, technology, or in some combination of the three – and then to fortify the weak links. This assessment and readjustment needs to be an ongoing feature of your approach to doing business.
When business leaders are faced with critical or costly problems within any particular aspect of their business, many turn to root cause analysis to understand the underlying complications. Essentially, the ESG/ISSA research has done much of that for them regarding their infosec needs. The research data suggests that businesses are not investing enough in their cybersecurity staff. Oh, they are investing in cybersecurity, by way of spending millions (collectively) on security technology, but not on their staff.
What good is cutting edge technology if your cybersecurity staff doesn’t have the right skills, such as fundamental program management, or the time to keep their eye on the latest threats because they are overwhelmed executing multiple complex security functions?
Ultimately, many business leaders don’t “get” cybersecurity, and that’s okay. That’s where we, the InfoSec professionals, come in after all – we live, breathe, and offer protection in that dark space they don’t understand. The businesses leaders that navigate their industries with success, without being taken down by unexpected cyber assaults, will not need to become cybersecurity experts, but they will need to understand the professional needs and challenges of their cybersecurity staff.
I challenge entrepreneurs and CEOs: Take your cybersecurity staff member (or IT person responsible for cybersecurity) aside and ask them, “Do you have enough staff and the right tools to accomplish your objectives? Do you have enough time to attend trainings and stay current?” You’ll be surprised by the insight into their world, and consequently into your true cybersecurity needs, this conversation will produce. The outcome will be a more effective and satisfied employee – and a better protected business. It’s smarter to make this investment now rather than pay a higher price after experiencing a catastrophe that could have been avoided. Invest your time and money in the right place – your cybersecurity staff. The payoff just might be the difference between a viable business and a bankrupt one.
After all, cybersecurity is just another business issue.
About Candy Alexander
Candy has nearly 30 years in the security industry working for companies such as Digital Equipment, Compaq Computer Corporation, and Symantec. She has held several positions as CISO (Chief Information Security Officer) for which she developed and managed Corporate Security Programs. She is now working as a Virtual CISO and Cyber Security consultant.