Image source: TreeHugger
While lions roar loudly and sharks are perceived as top of the top predators, surprisingly, their hunting efficacy is at 50 percent or below. Dragonflies on the other hand, look soft and fragile, however, they are most efficient hunter in the animal kingdom at 95 percent accuracy.
Gartner projections show the growth in cybersecurity spend is slowing. Same trend is reflected in recent 'State of Cybersecurity 2021' survey report by ISACA. Boards are starting to push back and ask to demonstrate how cybersecurity has contributed to the business growth and profitability - the ultimate goal why any business stays in business - after years of heavy cybersecurity spend. Surely, a global pandemic that brought IT budget freeze and other budgetary impacts to keep the lights on and minimize financial loss, as well as the unplanned investments to accommodate remote workers has contributed to this factor. With few exceptional industries such as technology, retail, gaming which grew during the pandemic, the impact of COVID-19 on many businesses and enterprises is negative. (Source: Forbes).
Many of you have heard a phrase 'Shift Left' which is usually associated with DevSecOps.
We need to 'Start Left' when it comes to continuous optimization of security services, we need to improve security services efficacy, scale it and sustain it.
Security efficacy is becoming a top priority. It's everywhere. For example, Breach & Attack Simulation (BAS) technology is becoming a new 'norm' as it helps organizations to automate security posture verification and assess the efficacy of their existing security technologies. Leading with technology alone results in poor outcomes (Source: Gartner). Security capabilities are a function of people, process and technology. It's the cybersecurity team who has to manage BAS alongside other, on average, 50 or more security technologies in their operations while risk identification and mitigation remains their primary task (Source: Forbes). ISACA survey results show that enterprises continue to lack desired IT security staffing levels, even though the pandemic appears to have positively influenced cybersecurity staff retention efforts.
ISACA has identified a correlation between staffing levels, retention and number of cyberattacks (Fig.1).
Fig. 1. Correlation between understaffed cybersecurity teams, cyber attacks and talent retention. (Source: ISACA)
We consider understaffing, difficulty to retain talent, high volume of cyber attacks as 'symptoms' that are associated with number of deeper challenges. It could indicate a disconnect between hiring managers and those charged with sourcing candidates—just 31 percent feel that human resources (HR) department fully understands IT security hiring needs (source: ISACA), broken processes, data management issue, split ownership of SOC, lack of alignment between security services and business, etc.
In 2020 Quantum Cybersecurity Skills have completed an anonymous survey of 50 global SOCs to find that the major reasons of SOC talent turnover and greater volume in cyber incidents is often a reflection of cybersecurity efficacy.
53 percent of survey respondents indicate difficulty retaining talent (source: ISACA). In a similar way business drive end-user focused digital journeys to attract new and retain existing customers to increase profitability, retention of cybersecurity talent should be No. 1 goal for HR. There are number of effective ways to help achieve it: involve cybersecurity talent in mapping out their own 'CV in 5 years' which includes cross-function training, better leverage of their existing skills, new technical and soft skills development, promotion opportunities, positive security culture, clear goals at individual, departmental and organizational level, leadership that empowers others and drives security excellence, more entry-level positions, continuous employee surveys, reputable employer's brand, exciting digital transformation strategy, security excellence rewards program, etc.
"Operational risk is the way forward, tied to business metrics and anchored in good models, methods and processes."
- Simon Goldsmith, APAC Information Security Officer, Adidas (Source: F-secure)
Technical cybersecurity positions were the top vacancy reported this year which is showing an unchanged trend since last year's ISACA report. Identifying soft skills as primary skills gap suggests that business acumen is needed for technical security teams. Security controls implementation, software development-related topics (e.g., languages, machine code, testing and deployment), data-related topics (e.g., characteristics, classification, collection, processing and structure), coding skills and networking-related topics (e.g., architecture, addressing and networking components) were amongst other notable gaps (Fig. 2).
Fig. 2. Quantified Skills Gap (source: 'Status of Cybersecurity 2021' survey report by ISACA.org)
37 percent of respondents, rely on usage of contract employees or outside consultants (Source: ISACA). Quantum Cybersecurity Skills addresses the need for specialist technical skills by offering business flexibility in hiring on-demand technical team be it for fine-tuning services of your security controls such as SIEM, EDR, WAF, etc., risk identification and mitigation or for hardening your platforms, systems and applications (cloud, Linux, Windows, code, etc.). What IT Security Leaders need to focus on is to create an easy, effective and secure way for such teams to access the network to perform their professional services tasks. Verified network segmentation and strong access management is key.
Security processes usually offer a great opportunity to improve efficacy, they need to be verified to withstand the test of major data breach emergency. In their report 'The Urgency to Treat Cybersecurity as a Business Decision', Gartner list four major challenges to cybersecurity efficiency one of which is 'compliance with any regulation does not equal appropriate levels of protection'. Executives believe that compliance will save them. Many of them know or sense the reality that compliance does not equal protection, but why invest more if the regulators ask to check only certain boxes?
In a nutshell, driving cyber maturity, security services efficacy is not for the purpose of achieving continuous SOC productivity optimization, it's about being empowered to make smart decisions by identifying business risks early and accurately to significantly improve business continuity while adding speed and accuracy to risk identification and mitigation.
You may also like below blog(s):
Organizations that are able to take a full advantage of their Security Services (SOC) are Leaders when it comes to reducing business risks, operational costs, improving resilience and business continuity. Scale and sustain the resources that you already have - it's part of an agile and integrated risk management strategy.
Quantum Cybersecurity Skills has been co-founded by seasoned SOC Managers to help SOC Managers and CISOs out there. We are your trusted Partner to deliver continuous SOC productivity optimization aligned to ISO 27001 PDCA, proactive and reactive security services, MDR and professional risk mitigation services. Our services are applicable to any size organization from any industry, whether with an in-house SOC / CSIRT / CERT or MSSP outsourced. We run operations in UK, Canada, Mexico and Spain to meet customers' Data Privacy requirements.
Reach out to us: