Cyber security is becoming a growing concern around the globe as new threats and threat vectors are emerging every day.
According to the Identity Theft Resource Center, U.S. witnessed a record increase in data breaches in 2014 of about 783, a whopping 27.5 percent percent year-over-year increase4. Further, 82 percent of the organizations are expecting to be attacked by cyber criminals in 20151, underlining the need for security professionals to manage and monitor cyber threats.
Organization wide cyber security started off being managed by dedicated managers in the IT department. With the passage of time and increase in magnitude and variety of threats across channels, cyber security transitioned to the hands of dedicated security managers. The idea of a team with dedicated skill sets and knowledge of the threat landscape, handling security breaches was powerful enough for organizations to move in that direction. However, the question still remains as to how equipped are these managers when it comes to cyber security breaches and data protection.
A combination of technology advances, ways of technology adoption by firms and their customers and evolving business models are constantly creating vulnerabilities that are open to exploitation by cyber criminals. As the adoption of new platforms and technologies like connected vehicles, mobile payments, Internet of Things(IoT) and emerging technologies like“wearables” is gaining ground, loop holes are being created that form the thriving space for cyber criminals.
While traditionally the threats used to exist only behind the fire wall and beyond it, now they are almost everywhere. They might infiltrate into the organization through infected wearable devices worn by the employees, through their compromised connected cars that are parked inside the official parking lot or through any of the innumerable sensors and smart devices embedded in the eco-system.
The changing threat landscape mandates changing security manager skill sets. IT managers responsible for cyber security of an organization need to re-skill themselves constantly to keep pace with the changing landscape. At present, their preparedness to handle security breaches is far from optimal. It is disheartening to note that there is still lack of awareness about latest threats and even the realization that an enterprise has been a victim or they have been attacked.
According to an ISACA survey, 20 percent were not aware about shell shock as a threat, 30 percent had no clue if they have been attacked by an advanced persistent threat (APT) and 23 percent did not even know whether there has been any theft of corporate assets.
New types of threats are getting identified every day with ever increasing scope, scale and sophistication. In late 2014, Symantec reported “Regin” a quality spyware program that was supposedly eaves dropping on infrastructure providers, researchers and individuals since 2008. IT managers who lack the training and knowledge of such self-innovating threats verily set themselves up for failure and organization security breaches. Further, as new smart devices increasingly get connected to the cloud, the threats are getting amplified because this is still a relatively new technology where the standards for security have not yet been firmly established.
Many organizations lack a robust cyber security governance framework. The framework acts as a guiding force for security managers and provide clear cut direction for informed decision making, and intervention. Multitude of such frameworks that can be used as reference abound – like National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, NIST Cybersecurity Framework, PCI DSS etc.
The situation is made even worse due to the severe dearth of skilled talent in IT security. The ISACA study re-confirms this fact as 535 of the organizations take between 3 to 6 months to fill a position in IT security and 10 percent do not even manage to fill them at all. In fact, in 50 percent of the cases less than one fourth of the resumes submitted for the positions were of the required qualification. Even among the qualified professionals, the ability to understand the business is minimal.
The lack of efficiency of security managers to handle threats can not only be attributed to inability of adequate skill sets. On the contrary, it is a function of a multitude of factors, key one being the reporting structure and senior level commitment. As per the ISACA study, in 60 percent of the cases the reporting structure of IT security is through the CIO. 70 percent CIOs do not even report to the CEO or the board. Board level involvement is a must in matters of cyber security since this provides a sense of responsibility for the security managers and help them invest in required toolsets and technologies to increase efficiency.
A significant number of organizations are not addressing the third party cyber risks properly. The cyber security risk is substantial from the supply chain perspective as lot of sensitive and valuable information is usually shared with suppliers. A supplier accidentally providing access to cyber criminals on the intellectual property, customer or employee information, commercial plans or negotiations is a real possibility. Cyber security experts should work closely with the contracting departments to ensure that a thorough risk assessment is done on the suppliers and measures are put in place to mitigate this risk.
Checking cybersecurity threats need a top to bottom approach and should not be seen merely as the responsibility of the IT security manager. It needs a rethink on many issues, some are related to engagement/ strategy, while others are just a change in attitude in terms of self and partner evaluation and stress testing of the cyber security infrastructure.
Managing cyber security in today’s evolving business environment is a daunting task but it could be largely manageable if there is top level involvement and a holistic plan based on solid understanding on the business and the threat vectors. IT managers need to evolve and adapt to changing threat landscape. This will ensure their survival and more importantly the survival of their parent organization.
Vijay Bharti, head, Cyber Security Practice, Happiest Minds Technologies