For almost every business, cybersecurity and the constantly evolving cyberthreats from organized crime and foreign governments are a pervasive concern. Companies take a variety of paths to address cyber threats, but ignoring the “elephant in the room” is no longer an option. It is hard to miss news reports highlighting breaches and damaging reputations. In the Equifax breach alone, the identity of 145 million Americans was stolen, and congressional investigations continue. The government is not immune either. The 2015 hack of the Office of Personnel Management compromised the records of 23 million current or former government workers.
Cybersecurity Ventures currently projects that cybercrime will cost $6 trillion annually worldwide by 2021, up from $3 trillion in 2015. Insurance giant Lloyd’s of London estimates that these attacks cost businesses $400 billion a year (including both direct damage and disruption to normal operations). Given these staggering statistics, how should companies proceed and protect themselves?
Take Stock of Your Cyber Program
We have worked with small and very large companies to build their cybersecurity programs. Sometimes we will see companies launch major spending initiatives following an incident or scare. While this may feel like the right approach, it frequently misses the mark. This is particularly true given that cyber resources are difficult to find, and tend to demand high rates. In addition, most cyber incidents are the result of people not doing the right thing, rather than the lack of a technology solution.
Every crisis contains both dangers for organizations, and opportunities. The same is true of cybersecurity threats. As noted above, the threats are pervasive. What are the opportunities?
Opportunity #1: Standards-Based Approaches
Perhaps the first opportunity for companies is to consider which well-thought-out options exist for implementing cybersecurity approaches, or fine-tuning existing programs. One good option that applies to both government and commercial programs is the National Institute of Standards and Technology’s Risk Management Framework. Under Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity was signed in 2013. The order states that “[i]t is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
This executive order called for the establishment of a voluntary risk-based framework consisting of industry standards and best practices to help organizations manage cybersecurity risks. The resulting framework is the result of a collaborative effort involving both the government and the private sector. In the framework, a common terminology to manage cybersecurity risk in a cost-effective way was introduced. Notably, the framework is provided without introducing additional regulatory requirements on businesses.
Opportunity #2: Leverage Talent Partners and Labor Arbitrage
Current projections forecast extreme shortages of talent in the cybersecurity field. One forecast projects demand for security analysts will grow at a 28% annual rate through 2026. Given the challenges of finding cybersecurity talent and the projected shortage of these critical skills, innovative approaches may be warranted such as taking non-traditional approaches to building these skillsets from the ground up. For example, identifying promising new college hires and providing cybersecurity training through a dedicated training pipeline may be more cost effective for organizations than paying high market rates. As an example, Genesis10 has provided this type of “grow your own” training for both entry-level Java resources, and more advanced Enterprise Data Management skillsets. In both cases, resources are identified, onboarded and trained before they begin work for the client organization.
Another option is to leverage demographic trends between markets to find cybersecurity resources. If your organization is in a market with very limited cybersecurity talent, we have successfully identified and onboarded talent from other markets through dedicated national searches. Another approach is to leave these resources in place, and allow them to work in one of our six SSAE-18 certified domestic delivery centers.
Opportunity #3: Don’t Automatically Accept Out-of-the-Box Solutions
Finally, if you are considering placing your trust in a vendor provided solution it would be advisable to proceed with caution. One size does not necessarily fit all organizations. Vendor solutions may miss the mark because of the unique processes, challenges, and nuances of an organization.
We believe a data-driven, culturally aligned, and thoughtful approach is needed to foster a mature security program, minimize risk, and drive business value. This approach should account for three critical success factors:
Outcomes and Next Steps
What are you aiming for in your agile transformation, and what are your logical next steps to success? Do you get the mental head nod from your executive sponsor, or a puzzled look because you have not yet clearly defined the problem? Perhaps a data-driven, culturally aligned and thoughtful approach is needed to foster agile maturity and drive business value – and not the big bang. If so, we would be happy to help.
Also read the Genesis10 blog Demand for Cybersecurity Grows as Skills become More Challenging to Recruit.