How CIOs can plug critical gaps in IT governance

The impact and sophistication of cyber security attacks have created a growing need for better IT governance to protect critical business information, but more than that, they have also created a global demand for talent that is outpacing the supply.

A recent report from Symantec found that the total number of breaches in 2013 was 62% greater than in 2012, with eight of the breaches exposing more than 10 million identities each.

Organisations also face an increase in advanced persistent threats (APTs), which infiltrate a system by stealth, can take months or years to detect, and are aimed squarely at commercial gain — typically the theft of credit card information, customer data or proprietary intellectual property.

>See also: How to set up a cybersecurity honeypot for your business

ISACA’s research shows that one in five enterprises surveyed in 2013 has experienced an advanced persistent threat, and 66% feel it is likely they will be the target of an APT attack.

According to Enterprise Strategy Group, 83% of enterprises lack the necessary skills to protect their IT assets, yet despite this, many organisations do not appear to be aggressively increasing the number or skills of their cyber security staff. 

ISACA’s 2014 APT Survey found that more than half of the organisations polled (62%) are not increasing security training this year.

Wanted: cyber security professionals

Yet even the enterprises that are trying to increase their cyber security staff face a daunting challenge—there are more job openings than there are qualified professionals. A study by Cisco estimates that close to one million positions for security professionals currently remain unfilled.

There are several reasons for this shortage. One is that it is not a trivial task to master the knowledge required to become truly effective at threat detection and mitigation.

Countering a sophisticated attack by a well-resourced adversary requires much more than a set of baseline security practices. It demands specialist security skills, intelligence-led risk assessments, street-smart education of staff and state-of-the-art forensic analysis skills.

Ideal candidates are well-rounded and have a solid foundation in networking, operating systems, web technologies, incident response, and an understanding of the threat landscape and risk management.

Technology skills are not enough

Advanced threat vectors and emerging technologies require that cyber security professionals be skilled in technology. But that’s not enough. Cyber security as a discipline includes the social environment of people, enterprises and related processes.

In addition to other types of risk, social risk primarily arises from people and their behaviour, human factors in IT use, and the emergence of change within the overall system.

To raise awareness of threats within an organisation and drive behaviour changes, cyber security professionals should also be skilled at speaking the language of business, understanding their employer’s business strategy and organisational structure, and communicating effectively with employees at all levels in the organisation, from the mailroom to the boardroom.

In the event of an incident, these skills are even more important, as the organisation’s specialist team of IT and cyber security professionals, generally referred to as a CSIRT (computer security incident response team), must have the skills to effectively navigate managing a major incident, conducting a forensic analysis, investigating the likely business impact and preparing a post-mortem report for senior management and often board members.

The need for a holistic approach

Cyber security is a fast-changing and complex field whose professionals will benefit from access to a foundational body of knowledge, education, and thought leadership from chief information security officers (CISOs) and other security experts working in the industry.

By using industry frameworks such as COBIT to gain access to key tools, specific guidance they require, and access to the latest tips and insights from the industry, these professionals can ensure they are keeping up to date with ever-changing industry challenges and increasingly sophisticated attacks.

>See also: Cyber security guide to the 10 most disruptive enterprise technologies

In fact, enterprises that already such frameworks have highlighted that it enables them to better integrate business and IT, increase IT visibility with board of directors, and improve risk management.

International knowledge platforms and professional programmes are also vital for access to tools and services that help organisations combat cyber security. These types of programmes can provide networking opportunities, knowledge offerings, and training and education, which are critical in helping businesses ensure their specialist IT and cyber security teams are fully educated and trained, and also have the resources they need to effectively manage and mitigate IT security risks.

The growing cyber security skills crisis will not disappear in the near future. However, many organisations are already using industry frameworks and programmes available to them to keep staff fully trained and skilled in their specialist areas.

In addition, with companies, industry organisations, schools and government institutions already publicising and seeking solutions for the growing need for cyber security skills, big strides are being made to broaden the global talent pool of cyber defenders and make progress in the ongoing battle against cyber-attacks.


Sourced from Steven Babb, chair of knowledge board and international VP, ISACA

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach