October is Cybersecurity Awareness Month, an opportunity to think about cyber safety in your organisation and how digital security is evolving. Here are five topics that come to mind for us:
The cyber skills shortage will continue
There has been a severe shortage of cybersecurity skills for years, creating almost 4 million unfilled roles and affecting 71% of organisations. Despite efforts to train more security professionals, those efforts have hardly made a dent. Not only that, but training growth appears to have stalled. Though countries like the UK have increased the number of cybersecurity graduates by 34%, overall, 2023 produced only 0.1% more qualified people than in 2022.
The takeaway is that companies must become more creative in addressing skills shortages, such as using risk management, managed services, and automation to create more targeted and efficient security operations.
Companies should also explore options that help to enhance training, such as widening the talent pool and investing in other geographies where there is often eager talent and lower costs. Retention is just as crucial—keeping people is easier than recruiting new ones.
Risk makes cybersecurity proactive
Leaders at organisations have made great strides to take cybersecurity more seriously. Only a few years ago, it was still normal for boards and senior executives to treat cybersecurity as just another business function and cost centre. But new regulations and, most crucially, rapid digitisation following the pandemic years have created a heightened awareness of cybersecurity and that leaders need to own the concept.
However, awareness is not the same as understanding a very technical and complex field, creating gaps in communications and priorities. Also, business leaders have other priorities and can't drop everything in the service of better security. This standoff has encouraged the development of risk-based security planning, supported by new frameworks such as Gartner's Continuous Threat Exposure Management (CTEM).
These frameworks aim to prioritise cybersecurity plans based on organisational risk: focus resources to protect a company's most important and vulnerable areas. While risk analysis and cybersecurity are not strangers, this new risk-first mindset boosts proactive and efficient cybersecurity.
Generative AI is boosting both sides
When generative AI such as ChatpGPT, Google Gemini, and Meta.ai arrived in 2022, many experts warned that cybercriminals would use the technology to boost their attacks. This prediction turned out to be correct. Online criminals are using generative AI to industrialise established attack methods, especially scams. They are producing content faster in more languages and with more personalisation, and improving malicious software.
Yet, the phenomenon works both ways. Security providers such as Performanta have added generative AI to improve data, alert, and threat analysis. We're combining these tools with other forms of AI and automation to analyse and respond to threats at machine speed.
While the impact of generative AI on cybercrime seems scary, the boost to cybersecurity has been profound—and it's only beginning. Companies can mitigate their security threats by applying continuous security assessments and regular penetration testing, educating employees about the latest threats and best practices, and developing a clear incident response plan articulating containment, eradication, and recovery. Also, check that your security provider is paying attention to generative AI's growing security relevance to security.
Credentials remain crucial
Every year, someone writes an obituary for passwords, and yet they don't seem to be going anywhere because we lack good alternatives. During 2023 and 2024, the tide looked like it would shift as Passkey technology started to spread to more services. Passkeys are a passwordless technology that uses devices and their security features to unlock accounts. They have been developing on the sidelines for several years, then recently started entering greater adoption, reaching over 1 billion uses earlier this year.
Passkeys are a great concept and can help close the gap between user convenience and strong security. There is also greater interest in using biometrics for authentication, especially as more devices include fingerprints and facial recognition. However, passwords are not receding. Passkeys have their drawbacks, and biometrics can be fooled.
Passwords have many flaws. In a perfect world, we wouldn't rely on them. But realistically, they will remain with us for years. So, we must continue teaching users to create strong passwords and use features such as multi-factor authentication.
CISOs and their teams need more support and coverage
Chief Information Security Officers (CISOs) are well-compensated for their work, with annual incomes averaging US$500,000. However, such levels of compensation only start to match the incredible levels of stress and burnout experienced by CISOs. 80% of CISOs say they are highly stressed, and the average CISO tenure is less than 3 years—well below that of other chief executives.
Increased compensation is a good start, but CISOs need more support. Some of the notable problems include a lack of legal resources and crisis management. The legal issue is particularly important. CISOs don't just lead the effort to keep companies safe. They must also navigate many regulations governing corporate responsibility, private data, and other legal requirements. Companies often overlook whether their legal services have sufficient knowledge of digital issues, yet digital companies need technology-savvy lawyers.
Don't neglect your CISO or the rest of your security department. The problems that impact CISOs (who are well compensated) also affect other team members, leading to burnout, decreased productivity, high turnover rates, and health issues that ultimately compromise security efforts.
Do they have the support, buy-in, and resources to do their jobs, cover their obligations, and involve the rest of the organisation? CISOs must also work towards these goals, but too often, the rest of the business treats cybersecurity as a side function and not a pillar for resilience. Change that attitude, and you'll retain CISOs and cybersecurity pros for much longer.
Comments