The threat of cyber security has rapidly increased over time as attackers become more sophisticated in their approach and legacy technology becomes more vulnerable. But addressing this threat is not as simple as investing in new technology. Without the right people in charge, organisations remain at severe risk.
All too frequently we see smart tech left on the shelf, poorly configured, infrequently tuned, or un-optimized, which leaves it delivering minimal value. With no clear leaders, we also know the cyber security market is difficult to navigate, so inevitably products are bolted together in the hope that they will collectively address the security risk.
The right people will know how to build the complete solution; they will know how to transform generated data into intel and dashboards that allow the organisation to make informed decisions on what has happened and what might happen. They will be able to think broadly and communicate their work not only in the language of cyber and security, but in the language of a business-orientated and human audience.
According to the ISACA, there will be two million unfilled cyber security jobs globally by 2019, proof that it is difficult to find the right people. And in Cyber Resilience, one size does notfit all. Depending on the organisation’s size and need, they may take different approaches when it comes to sourcing the talent. This may be investing in and upskilling current or new work force, using expert head hunters to source the right candidate or outsourcing their cyber security requirements entirely.
Using the National Institute of Standards and Technology (NIST) framework as a guide, the knowledge and skills required varies significantly depending on the business needs in question. Take the two examples below:
- A small organisation that uses Cloud Services and Managed Service providers for all their digital needs should have a team that is equipped with skills and knowledge in the following areas:
- 3rd party cyber risks
- Development and verification of contracts and SLAs that meet the cyber needs (e.g. GDPR and 72hr response time for material breaches that impact Personally Identifiable Information)
- Embedding a cyber culture in the organisation
2. A large organisation that develops their own applications and owns and manages their infrastructure should aim to cover the following five skill ‘pillars’:
- Identification – be able to optimise governance policies and procedures and understand the business environment, assets, risk assessments and strategy
- Protection – be able to procure, implement and tune the appropriate access control, data security, information protection processes/procedures and technology and ensure there is appropriate awareness training across the organisation.
- Detection – be able to procure technology and use people and processes to be able to provide continuous monitoring, detection and handling of events and anomalies.
- Response – be able to analyse events, provide mitigation and improvements and ensure appropriate communication is undertaken internally and externally.
- Recover – be able to provide recovery planning, identify improvements and ensure appropriate communication is undertaken internally and externally.
Understanding the various areas that need to be covered will allow managers to make the right decision when bolstering their cyber security teams with the right talent. Working closely with current IT departments and with relevant risk assessment departments or organisations can give management a clearer idea of vulnerable areas and the right solutions.
Different organisations will need different levels and types of support, but there is no question that all of these solutions will require the right people at the helm. Without the correct people, risk mitigation efforts may be rendered worthless and could still leave organisations incredibly vulnerable to the growing sophistication of cyber-attacks.
By Nigel Munden, Head of Cyber Security at TORI Global
Nigel is a general manager with Sales, Strategy, Marketing, Business Development and Product Management experience gained running product and professional services business internationally.
He joined TORI from Intel Security where he was VP for Professional Services for EMEA where he managed five regions and a portfolio of Cyber Security. These practices covered Consultancy and Advisory, Product and Training. Prior to Intel, Nigel worked at Juniper Networks, Nortel Networks in the UK and France, SalesTools as well as IBM and ROLM in the UK and USA.
About TORI Global
TORI Global. Experience. The difference.
TORI Global is an independent consultancy delivering insight-led, outcome-based advisory services to the financial services sector. As a disruptive player in the consultancy space, TORI Global consistently challenge the status quo, and won’t shy away from telling clients what they need to hear, not what they want to hear. By placing industry experience at the heart of its consultancy, TORI Global is able to provide qualified, expert advice to answer the real business challenges of its clients and deliver the success they deserve.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/