Operational resilience | Risk Management & Reporting

November 29, 2022

The shortage of skilled personnel in cyber security will continue to challenge organisations for some time to come. In Australia, recent figures confirm a deficit of more than 3000 specialists by 2026. In the UK, a recent study by Russell Reynolds Associates, reported by the consultancy.uk website, highlights that this problem extends beyond the security sector.

When asked what the main threats to their businesses were Directors responded, as the chart below shows, that the availability of talent/skills is the most urgent concern. The only other urgent concerns were the geopolitical and the current economic situation.

Compounding this skills shortage is that apparently cyber security threats are a “notable” concern. So interestingly, with no sign of the current spate of attacks abating, businesses still believe they are prepared for cyber threats. Senior teams at Medibank, American Airlines, Rockstar Games or Uber might question that right now. The list of newsworthy breaches for 2022 isn’t exactly short, and so the confidence displayed in the survey might be somewhat misplaced.

What say security leaders?

What we do know is that cyber security is a labour-intensive business and skills shortages exacerbate the ability to manage risks. A resource shortfall makes it difficult to manage networks, deal with attacks, improve cyber security posture and drive improved resilience. Even operations and activities that should be routine, like patching or threat hunting can be difficult to achieve when resources are tight.

The increased focus on cyber security, from security agencies, 3rd party providers and even insurers looking for companies to tighten security controls means security teams are under increased pressure.

Reporting cannot be the enemy

Time is of the essence. Greater demands on existing resources will, without greater productivity, mean pressure for increased headcounts. Introducing process efficiencies to some of the more onerous and repetitive security tasks – often the ones that frustrate security teams the most – will assist in closing the gap between skilled resource supply and demand. Every organisation is looking to transform their processes for improved efficiency and performance. And, cyber security is not unique.

Organisations spend hundreds of hours collecting security performance data as part of their internal reporting processes. Collating data into a meaningful security report to guide risk mitigation and inform cyber security oversight can quickly become burdensome. The risk environment is changing fast – with new attacks and exploits – so the more frequent your cyber status reports, the more relevant they’ll be. A scale problem is developing with the need for more regular assessment by too few security specialists. The requirement for increased quality and frequency of reporting is required to meet ongoing governance needs.

Cyber security posture reporting with Attack Surface Management

Tools with high levels of automation already exist to systematically gather and report on configuration and security performance. See Huntsman Security’s Essential 8 Auditor and SmartCheck solutions as examples.

The problem these solutions solve is a simple one. Providing an evidence-based answer to the question:

“Are we doing what’s necessary to protect our business and its IT assets?”

Cyber security technology now reliably automates the laborious and time-consuming tasks of data gathering and analysis, and frees up resources to perform higher-value interpreting tasks. Not dissimilar to the industrialisation of many human activities, machines can perform some data processing tasks more accurately and efficiently.

Managing the cyber-attack surface, areas where IT assets and their exposure to vulnerabilities can merge to create potential points for unauthorised access to your IT systems, demands particular defensive efforts. A detailed level of “inspection” and analysis of security information about a detected risk is required to assess the effectiveness of the controls. An attack can occur from any unmitigated vulnerability so it’s very important to be able to measure and have visibility of how effective the mitigating controls are around it.

Time saved pays dividends

Empirical cyber risk information informs security stakeholders across the enterprise: security and risk teams and their mitigation efforts, of 3rd party suppliers compliance levels, senior executives in their risk management efforts and directors in their cyber security oversight.

So if specialist cyber security talent is in short supply as current surveys suggest, organisations must review resource hungry and burdensome processes and replace the business process with data-driven security information systems that evidence and inform more effective cyber security decision making.

Top 10 Questions about Cyber Security Management for Executives & Directors (AU)

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.