Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The shortage of skilled personnel in cyber security will continue to challenge organisations for some time to come. In Australia, recent figures confirm a deficit of more than 3000 specialists by 2026. In the UK, a recent study by Russell Reynolds Associates, reported by the consultancy.uk website, highlights that this problem extends beyond the security sector.
When asked what the main threats to their businesses were Directors responded, as the chart below shows, that the availability of talent/skills is the most urgent concern. The only other urgent concerns were the geopolitical and the current economic situation.
Compounding this skills shortage is that apparently cyber security threats are a “notable” concern. So interestingly, with no sign of the current spate of attacks abating, businesses still believe they are prepared for cyber threats. Senior teams at Medibank, American Airlines, Rockstar Games or Uber might question that right now. The list of newsworthy breaches for 2022 isn’t exactly short, and so the confidence displayed in the survey might be somewhat misplaced.
What we do know is that cyber security is a labour-intensive business and skills shortages exacerbate the ability to manage risks. A resource shortfall makes it difficult to manage networks, deal with attacks, improve cyber security posture and drive improved resilience. Even operations and activities that should be routine, like patching or threat hunting can be difficult to achieve when resources are tight.
The increased focus on cyber security, from security agencies, 3rd party providers and even insurers looking for companies to tighten security controls means security teams are under increased pressure.
Time is of the essence. Greater demands on existing resources will, without greater productivity, mean pressure for increased headcounts. Introducing process efficiencies to some of the more onerous and repetitive security tasks – often the ones that frustrate security teams the most – will assist in closing the gap between skilled resource supply and demand. Every organisation is looking to transform their processes for improved efficiency and performance. And, cyber security is not unique.
Organisations spend hundreds of hours collecting security performance data as part of their internal reporting processes. Collating data into a meaningful security report to guide risk mitigation and inform cyber security oversight can quickly become burdensome. The risk environment is changing fast – with new attacks and exploits – so the more frequent your cyber status reports, the more relevant they’ll be. A scale problem is developing with the need for more regular assessment by too few security specialists. The requirement for increased quality and frequency of reporting is required to meet ongoing governance needs.
Tools with high levels of automation already exist to systematically gather and report on configuration and security performance. See Huntsman Security’s Essential 8 Auditor and SmartCheck solutions as examples.
The problem these solutions solve is a simple one. Providing an evidence-based answer to the question:
“Are we doing what’s necessary to protect our business and its IT assets?”
Cyber security technology now reliably automates the laborious and time-consuming tasks of data gathering and analysis, and frees up resources to perform higher-value interpreting tasks. Not dissimilar to the industrialisation of many human activities, machines can perform some data processing tasks more accurately and efficiently.
Managing the cyber-attack surface, areas where IT assets and their exposure to vulnerabilities can merge to create potential points for unauthorised access to your IT systems, demands particular defensive efforts. A detailed level of “inspection” and analysis of security information about a detected risk is required to assess the effectiveness of the controls. An attack can occur from any unmitigated vulnerability so it’s very important to be able to measure and have visibility of how effective the mitigating controls are around it.
Empirical cyber risk information informs security stakeholders across the enterprise: security and risk teams and their mitigation efforts, of 3rd party suppliers compliance levels, senior executives in their risk management efforts and directors in their cyber security oversight.
So if specialist cyber security talent is in short supply as current surveys suggest, organisations must review resource hungry and burdensome processes and replace the business process with data-driven security information systems that evidence and inform more effective cyber security decision making.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.