The C-suite could be the blind spot in your cyber security strategy
Just like every other employee, the boardroom needs to be aware of the basics
The cyber security skills gap is a business challenge that isn't going anywhere soon - in fact, it's an issue that's looming larger on the horizon than ever before. Almost two-thirds of businesses (63%) believe they have a security skills gap, according to research from non-profit association (ISC), with more than half of these believing their business is at risk of an attack as a result.
So, what's the problem? Why are businesses and their employees still so ill-prepared for cyber security threats? Firms certainly aren't shy when it comes to spending on technology to help keep errant actors at bay. Worldwide spending on security products and services will reach $114 billion in 2018, an increase of 12.4% from last year, according to Gartner.
The analyst house says skills shortages are driving this investment and predicts total security spending will grow 8.7% to $124 billion through 2019. Yet while investment in technologies can help reduce risk, it should not be seen as a panacea, especially when in-house cyber-security capability remains a rare commodity for many organisations.
GWR is investing heavily in cyber security following its move to AWS
Rob Howe, IT director at Guinness World Records (GWR), says digital leaders must stop relying on tools in isolation. The way to help combat cyber security concerns is to use a mix of technology and, most crucially, staff education. "You can put as much technology as you want in front of services, but you must focus on training your staff," he says.
Howe says his firm works hard to ensure it has implemented appropriate tools from its providers. GWR, which has recently pushed its infrastructure to the cloud through AWS and a partnership with Ensono, says the strong security focus of these firms was "a deciding factor" when it came to selecting an external partner. Yet Howe says external expertise must be matched by internal education.
"Repetition helps - we do dry runs, where we send out phishing emails from our department to the people across the business," he says. "I think that kind of white-hat hacker approach is a common strategy in other businesses. It can be other simple things too, like catching people if they don't lock their machines and showing what could potentially happen and what could be taken."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Howe is far from the only expert to have recognised the importance of internal training programmes. The National Cyber Security Centre (NCSC) recently launched fresh guidance for organisations, suggesting business leaders must embrace the technical detail of cyber security, or face a greater risk of attack.
The NCSC says people at board level must understand at least the basics of cyber attacks, cyber risks and cyber defences. The organisation's Chief executive, Ciaran Martin, warned there is a misconception in many boardrooms that security is too complex, too sophisticated, and threats are impossible to stop.
Howe also recognises the importance of ensuring all employees - including those at the very top of the firm - are not swayed by such misconceptions.
"Everyone needs to understand they need to watch their behaviour, too - cyber security is not just the responsibility of the IT department," he says. "We all need to keep the business secure and we all need to make sure there's connectedness across the organisation when it comes to that responsibility."
Like Howe, Shawn Edwards, chief technology officer at financial data specialist Bloomberg, says it's critical that the company's board members are versed in the basics of information protection. "All executives should understand what cyber security is," he says.
"Of course, that's something we do at Bloomberg. We talk to our executives and we invest an awful lot of time and resources in that training," he says, adding that CIOs and other c-suite executives must dedicate time and money to filling the cyber security skills gap.
New Bloomberg employees are asked to come up with solutions to cyber challenges as part of their first task
"Best practice to me is about building the best teams that you possibly can," says Edwards. "You need a team with diverse skills sets and backgrounds who can think about cyber security in different ways. I pride myself on finding great people. As an IT leader, you then need to provide direction and guidance."
Edwards says his new hires are often tasked with creating "brilliant solutions" to Bloomberg's cyber security challenges. It's a method that helps the firm protect its business-critical data, something that is a never-ending battle for the company.
"You're never finished," he says. "You have to assume that someone, somewhere will make a mistake - someone will click on a phishing link, even if you tell them not to. Of course, we train people not to do that, but you must design a system that assumes being compromised is a possibility. You must have a series of layers to detect and prevent malicious attacks."
It's a sentiment that resonates with Christine Walters, director of informatics at St Helens and Knowsley Health Informatics Service. Thanks to recent investments, Walters now has access to a security dashboard that allows her to see where the IT department is in terms of alerts and how its work matches the priorities of the business. Technology helps keep the threat low, but she recognises staff training is key.
St Helens and Knowsley Health Informatics Service now focuses on mobile connectivity
"You need to have the right tools to monitor, and prevent, attacks," says Walters. "But one of the biggest elements for success is the education of staff. Telling people not to click on a link, and to not give a password out over the phone, might sound like simple pieces of advice but they need to be repeated. Establishing the right kind of staff behaviour is crucial to maintaining information security."
Walters says her organisation is focused on using mobile technology as part of the normal working day, and her team is now working closely with clinicians in order to change the way they approve and authorise documentation. This joint focus on digitisation and security has to be the way forward, she explains, particularly as attacks against the health care sector are on the rise.
"Since WannaCry, information security has the highest of priorities at the core of the business," says Walters. "There's a lot of support, but it's also an area that's going to require a lot more investment, both in terms of money from central government and at the local level.
"Boards recognise the investment is required and the key issue will be whether continued funding comes in fast enough."
Mark Samuels is a freelance writer specializing in business and technology. For the past two decades, he has produced extensive work on subjects such as the adoption of technology by C-suite executives.
At ITPro, Mark has provided long-form content on C-suite strategy, particularly relating to chief information officers (CIOs), as well as digital transformation case studies, and explainers on cloud computing architecture.
Mark has written for publications including Computing, The Guardian, ZDNet, TechRepublic, Times Higher Education, and CIONET.
Before his career in journalism, Mark achieved a BA in geography and MSc in World Space Economy at the University of Birmingham, as well as a PhD in economic geography at the University of Sheffield.