Most large companies have spent decades under-spending on information and cybersecurity, says David Foote, partner and chief analyst at the research and analysis firm Foote Partners. That fact, combined with the skills shortage for cybersecurity experts can create some real vulnerabilities for both large and small organizations.
In part one of a three-part interview, Foote described how the IT talent shortage can hamper digital transformation, and how smart companies are planning ahead and developing internal talent for future needs. In part two, he explained how the rise of the Internet of Things will create crippling shortages in some key areas, and what to do now to prepare for it. In part three, he takes a look at cybersecurity and how to handle the skills gap in that area.
The Enterprisers Project (TEP): You've predicted that there will be more high-profile security breaches. What should companies be doing now to try to avoid them?
Foote: Let's begin by being clear on the difference between information security and cybersecurity. Information security is about creating a perimeter around your network. But it's not unusual now to discover that if you're breached, intruders have been inside your system for two years.
You can put all your effort into your perimeter but it will still be pretty porous. People are starting to realize that the bad guys seem to be almost at will going into systems, such as Russians hacking the Democratic National Committee. You cannot stop hackers and hacktivists. You can reduce intrusions, but you can't completely stop them.
The question is not only how do you keep people from getting in, but once they're in, what did they take, what's the root cause of the intrusion, and how do we prevent it next time? For that, you need cybersecurity. One of the big differences between the two is that cybersecurity requires a different understanding of compliance with things like HIPAA and the Graham-Leach-Bliley Act, and SOX. You have to understand what assets you have – it's called valuation of asset inventory – see what it's worth and what would happen if it were stolen.
TEP: What are some of the factors that make companies especially vulnerable these days?
Foote: There have always been lots of information security people around, but companies weren't hiring them. If you were a CEO and someone came to you at budget time and said, "We can launch a new product and make $20 million in the next 18 months, but we'll need $10 million to produce the product," and the CISO came to you and said, "We need $10 million to protect the company," where would you choose to spend that $10 million? Most would spend it on the new product that will more than pay for itself. So for many years, quite a bit of the spending on security was just enough to comply with the law, and any discretionary funds were spent on a case-by-case basis.
For many years, it was difficult to hire people in the security area and security investments were skeletal. It's amazing how lean security organizations were. Cybersecurity was really the domain of government and the energy industry.
TEP: But that's changed in the past few years.
Foote: Yes. Now, of course, it's everywhere, and it's a concern of everyone. Now it's a board issue. You can lose your job, and as a board member, you can be personally sued, which is what happened with the Target breach. Now we know a security breach can take you down and it can mess with the price of your stock. All of a sudden, this is not something you entrust to a CIO or CISO, it's a board issue. It's related to shareholder value.
TEP: So suddenly, people are hiring?
Foote: Yes. But cybersecurity skills worldwide are in real scarcity because there hasn't been enough time to develop seasoned talent. The federal government announced last year that it planned to hire 6,500 cybersecurity professionals. My guess is they've come nowhere near that number.
Consulting firms get the first pick of everything, and large metropolitan regions monopolize the talent pool. And then a lot of large institutions are handicapped by the fact that they're so specialized, which makes it difficult to develop talent internally.
Surgeons graduate from medical school and wind up doing 12 to 14 surgeries a day, but you don't learn how to do that in medical school. You learn it by doing a lot of surgery over a long period of time. A lot of it is experience based. So the problem will take care of itself naturally over time but we have to be patient and wait for graduating cybersecurity people to do more threat assessments and get better at threat intelligence. Meanwhile, new solutions are emerging using machine learning. That will help as well.
TEP: That's great, but what should companies do in the meantime?
Foote: They need to come up with a viable cybersecurity strategy and build a great security team. That means rethinking everything you're doing. Continually assess where you are and where you need to be, and what talent you've got. Knowing where you need to be is usually the most difficult part of that.
Then form a crisis management team assigned to address the unexpected. Teams like that usually come together when there's a crisis, but you should assume crises will come at you on a regular basis. Look for proven business skills for your team. Many IT leaders say, "I have all the security nerds I want. I need people who can explain highly-technical, security-related matters to non-technical people because we're fighting over budget all the time."
TEP: Where do you find those kinds of people?
Foote: It's a big thing now, people are hiring biochemists and liberal arts majors for security jobs. They're recruiting in the most unlikely places because they're realizing they need a lot more than technology talent. These jobs require more pattern recognition skills. We've heard that companies are hiring liberal arts people because they have a broader background and better pattern recognition skills. They're less rules-based.
The other thing you need is communication skills. Some kind of PR person who can be a representative of information and cybersecurity to the enterprise, focusing on teachable topics. That's something security hasn't had but has desperately needed for years and years. You can set a security policy but you can't make people adhere to it if it's inconvenient. A lot of security breaches happen not because security is difficult or controversial, but because every dollar spent on security is a dollar not spent making money.
Comments
Privileged Account Security – The Giant Dirty Secret and massive hole in most organizations cybersecurity. Why isn't it being addressed? Lack of Courage.
My Background – 15 Years - Systems Engineer, Program Manager and Engineering Manager for Lockheed Martin – Aircraft Simulation, NORAD and the Aegis Weapon System. Commercial IT Project Manager for 11 years. Including cybersecurity.
Also post 9/11 DoD/DHS whistleblower – IEEE Barus Ethics Award recipient - http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4468728
The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It’s the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).
Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. This puts everyone at risk.
Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?
Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don’t help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don’t specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.
This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line.