With growing concern about the threat of cyber attacks in recent months, many businesses are looking to hire security talent in-house. That shift towards in-house security has caused a vacuum of available talent across an already in-demand industry.
Hiring in-house might just work for some of the bigger organisations around the world; those with the deepest pockets and extensive tech expertise. Yet a single internal team can still struggle to have the expertise and capacity to know everything. To fully understand what’s happening inside and outside of their organisation, 24/7, and the measures and approaches to secure against both current and emerging threats, is a big ask. And there is so much at stake – a single ransomware attack (where computer files are maliciously locked and a ransom demanded from the user before they are unlocked) could result in a small business being out of action for weeks or months, with no way to retrieve the information they had.
The way forward for SMEs is a shift towards a leaner and more focused operating model: combine a light-weight internal team who are specialised in general architectural and best practice requirements with outside support. This should consist of a suite of products for monitoring the infrastructure and a set of professional information security service organisations that can plug-in as needed.
Why lean is better
Often an organisation’s infrastructure is a complex beast, with new capabilities being added, and new software updates being installed every day. This shape-shifting can start to look like a many-headed hydra, so the critical capability to manage security is a clear understanding of this organisational context, at all times. The team must know what changes have occurred and when, while having the expertise to advise on best practice architectural decisions across both hardware and software.
What supports them is a series of tools which plug-in across their infrastructure. A number of capabilities are available across the industry to monitor infrastructure, but we don’t yet trust them to know everything. Just like a driverless car, they’re great in 99 per cent of situations, but it takes one wrong move where data or a threat is misinterpreted, for serious damage to be caused. Until the security tool landscape matures, the team needs further support.
This is where third-party information security professional services can plug the gap. In a similar way to legal services, with its myriad of domain experts, the same is available across the cyber industry. A whole host of different skills are needed, from understanding the cyber regulatory and compliance landscape, through to understanding current best practice for security posture, what future architectural changes mean for risk and security, and how to migrate in a safe and secure manner.
Key personnel
There’s one person who can stitch this all together to ensure a cohesive approach to security: an on-the-ball Chief Information Security Officer (CISO). The right person for this role understands the industry not only from inside an organisation, but also keeps abreast of the latest threat intelligence data, so they can know how potential attackers think.
In the future, we will see intelligent automation of security across an organisation. Until that day, and with the ongoing shortage of security professionals, we’ll continue to see the information security professional services industry carry on booming.
With the right CISO at the helm, a lean and architecturally minded team, the right intelligent tools, and the support of high quality professional services teams, organisations of all sizes can better protect themselves from the constantly growing and evolving threat landscape.
