On October 19, 2021, we published the book, "Modern Cybersecurity: Tales from the Near-Distant Future". This is an excerpt from one of the chapters.
Businesses propelled into the future as a result of the pandemic. Social distancing rapidly enabled remote work and decreased our reliance on human physical presence to drive tools and technology. "Automation and cloud!" became the war cry of the digital business fighting for supremacy in the new world. The rapid changes, however, created a myriad of security concerns. Increased cyber-attacks (including ransomware) showed while technology is at the heart of digital transformation, as we increase our reliance on it, it also becomes our Achilles heel.
Business leaders struggle with questions such as: "How do we secure ephemeral assets? How do we manage cloud services that are upgraded and rapidly developed by the cloud service provider? How do we know where all our assets are in an agile, dynamic environment?" We need business agility and to move away from project management into product management. We must develop services to deliver the business outcomes leveraging the technology that is powering the business. Concurrently, organizations need to build a matrix for hiring, skills development and automation.
Building a center of excellence for Securing Modern Cyber Assets
The COVID-19 pandemic has changed the way we interact with the world. It accelerated us into a future where technology now leads the business. The healthiest businesses to come out of the pandemic will be those that embrace digital transformation. Digital transformation is the process of changing a business so that it focuses on continuously unlocking value through new ways of working, new business models, and new technology. The cloud became increasingly important within organizations' reinvention during the pandemic as hardware shortages, a need to work and collaborate remotely, and access to next generation capabilities like Artificial Intelligence drove many businesses to change the way that they worked.
More and more companies have been working online with many people working from home during the pandemic, connecting in real time through video conferencing applications and accessing assets that are remote, local or even ephemeral. I love J.P. Gownder, VP, Principal Analyst at Forrester's quote, "The future of work isn't something that happens to you — it's something you create for your company and your own career". The employees within an organization create a company's own culture and culture is critical to success and cybersecurity.
The culture that is predominant in the successful business of tomorrow according to the industry analyst Forrester, is one that supports the adaptive security workforce. The adaptive workforce taps into technology innovations — particularly AI and automation — to become more flexible, responsive, secure, productive and supports the broader adaptive enterprise strategy. Forrester emphasized a critical attribute of the adaptive workforce is swarm teams, which assemble employees from cross-functional groups to destroy silos, drive innovation, embed security and solve problems. These teams are assembled and disassembled as projects or products are complete.
Silos are the enemy of agility; it is critical to provide tools that encourage collaboration and break down divisions. Collaboration and the technology that simplifies the ability to optimize agile work methods is critical to business success. We see organizations acknowledging the need to collaborate with suppliers, customers and across different business lines. It is reflected in the uptick in usage of collaboration tools like Microsoft Teams, Zoom and Google Meet. Microsoft now has 145 million people using its Microsoft Teams communications app. This is another increase of 26 percent since Microsoft revealed Teams usage had jumped during the pandemic to 115 million daily active users in October 2020. 1
Shared Responsibility Model
The most successful businesses in the new world will leverage technology to optimize and invent new revenue streams. The way we managed and secured the assets of the business of yesterday is entirely different from the way we approach it for the business of tomorrow. The use of the cloud has had a profound impact because it imposes a shared responsibility model, as well as the usual legal and regulatory impacts. By its nature, the cloud changes the way that we deliver services because the cloud is a platform. It provides access to a myriad of capabilities like AI and voice recognition that was formerly only in the reach of large and powerful technology companies.
As of 2021, AWS and Azure comprises over 200 products and services including computing, storage, networking, database, analytics, application services, deployment, management, machine learning, mobile, developer tools, and tools for the Internet of Things. The plethora of capabilities opens up so many opportunities to both small and large businesses. To harness these services that are constantly being introduced, it will require a talented workforce and a structured approach to leveraging services that provide benefits in line with business strategies and goals. According to Gartner, 58% of the workforce will need to use new skills due to changes resulting from the pandemic.3
Top Priority for CIOs
In the Gartner 2021 CIO Agenda Survey, cybersecurity was the top priority for new spending, with 61% of the more than 2,000 CIOs surveyed increasing investment in cyber/information security this year. Gartner predicted that 95% of all cloud security incidents will be the customer's fault. Security services —including consulting, hardware support, implementation and outsourced services— represent the largest category of spending in 2021 at almost $72.5 billion worldwide. 3 Although information security budgets continue to grow, according to the (ISC)2 Cybersecurity workforce study 2020, the global cybersecurity workforce needs to grow 89% to effectively defend organizations' critical assets.
The ISACA's 2020 State of Cybersecurity4 similarly echoes the challenges around cybersecurity resources with the following statistics:
- 62 percent say their organization's cybersecurity team is understaffed, and 57 percent say they currently have unfilled cybersecurity positions on their team.
- 70 percent say that fewer than half of their cybersecurity applicants are well qualified.
- 72 percent of cybersecurity professionals believe their HR departments do not regularly understand their needs.
- 58 percent of respondents anticipate an increase in cybersecurity budgets, an increase of three percentage points from last year, but less than the 64 percent reported two years ago, signaling that spending may be leveling out.
The Limiting Factor: Security Talent
The availability of security talent — or lack thereof — has emerged as the key limiting factor in information security's ability to secure the modern business. A recent survey by Gartner estimates that through the year 2023, "99% of firewall breaches will be caused by misconfigurations, not firewalls." Gartner also states that "50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet," which is an increase of 25% since last year5. The cost of not having the right people with the right skills to secure modern cyber assets can be crippling in terms of data loss, regulatory fines and brand damage. The lack of security talent underscores the need for CISOs to match top performers with their highest-impact projects and to identify low-value projects that they can delegate, outsource or eliminate. The traditional approach to allocating talent simply isn't agile enough for today's fast-changing conditions.
CISOs need to move from a project-based approach to a product portfolio-based approach which enables better skills management. To build business-centric and transparent portfolios, first define a set of portfolio objectives to guide how they invest in technology, skills and process development across the enterprise's diverse needs before considering individual projects. Rather than dividing investments evenly across portfolio objectives, deliberately channel disproportionate investment toward the enterprise's key strategic priorities.
Next, begin triaging funding proposals using a two-step mechanism. The first step is an initial lightweight assessment that organizes proposed projects according to the business objectives they support. Security projects with a clear business impact are fast-tracked for inclusion in the portfolio, while low-impact projects are set aside. Medium-impact projects require a second, more comprehensive review that relies on a larger set of criteria to determine service value.
Finally, CISOs need to communicate their portfolio decisions to business stakeholders. Provide transparency into decision making and offer opportunities to the business stakeholders to share input on the way security resources are allocated. I recommend assigning a chargeable rate to resources so that service or product development is not subject to spiraling costs. For small companies, simply assign costs according to titles. For instance, senior engineers are $100/hour and junior engineers are $80/hour. Those internal costs may not be reflected externally, but it allows the product manager to assign costs for a development budget. This acknowledges that a large amount of the cost of a service when built right comes from the subject matter experts building out things like standard operating procedures and proof of concepts.
It is possible to use spreadsheets, or more sophisticated tools, but without providing tools for the product manager to model the use of (internal and external) resources and understand the cost of development, they will always reach for the unicorn resource rather than spread tasks across more experienced and less experienced subject matter experts.
This has been an excerpt from Sushila Nairs's chapter, "Reinventing the Cybersecurity Workforce" in the newly released book, "Modern Cybersecurity: Tales from the Near-Distant Future". The book is published in a digital version for free download by the community or is available in hard copy format on Amazon.