I’m going to go out on a limb and say that I’m probably not the only one that’s pleased to see the back of September. The cinders of Equifax breach continue to fall into October and, irrespective of the identities of the actors behind the breach, the impact of the exposed 143 million Social Security Numbers will have a long tail.
In light of this, it’s probably a good time to reflect on the current state of security. Which is just as well, given that we’re two days into the first week of the annual National Cyber Security Month (U.S.) and CyberSecMonth (Europe). It’s a great opportunity to look at ways to overcome the challenges we face. As a reminder, here’s the weekly themes for the U.S. and European respective security awareness months.
|Date||United States Theme||European Theme|
|Week 1: Oct 2-6||Simple Steps to Online Safety||Cyber Security in Workplace|
|Week 2: Oct 9-13||Cybersecurity in the Workplace is Everyone’s Business||Governance, Privacy & Data Protection|
|Week 3: Oct 16-20||Today’s Predictions for Tomorrow’s Internet||Cyber Security in the Home|
|Week 4: Oct 23-27||The Internet Wants YOU: Consider a Career in Cybersecurity||Skills in Cyber Security|
|Week 5: Oct 30-31||Protecting Critical Infrastructure from Cyber Threats|
THREE COMMON GLOBAL THEMES
The U.S. and European themes do differ a little, but there are three common themes which apply to all organizations across the world.
1. Increase In Connected Devices, And The Difficulty Of Managing The Risk
Social media, mobile computing and cloud services have increased the ease and speed of communication, while simultaneously reducing the cost. The “internet of things” looks to add further complexity to this, with some forecasts claiming there will be 200 billion connected devices by 2020.
This is tricky for organizations to manage, especially when they don’t directly control the flow of information. Employees, suppliers and other third parties are all sharing and exposing sensitive information. Keeping track of what data is shared and when it becomes exposed can cause regulatory headaches, privacy concerns and, ultimately, loss of revenue.
2. Security Is An Issue Beyond The Security Department
Week 2’s theme is “Cybersecurity in the Workplace is Everyone’s Business”, which ties into two main areas: building a culture of cybersecurity and security as a strategic issue.
Building a culture of cybersecurity is something we’ve written about a good amount (here you can read our blogs on Security Culture and Resilience). This is important to ensure every individual within the organization is vigilant and feels like they can report security issues. Security isn’t something that starts and stops at the SOC.
As Equifax’s share price is testament to, security has strategic implications and, as such, it should be strategically driven. Boards need to understand that weaknesses in an organization’s security posture can have significant strategic implications. At the same time, employees need to do a better job of communicating this risk to the board.
3. Security Teams Are Held Back By A Skills Shortage
In his keynote presentation at the 2017 SANS CTI Summit, Cliff Stoll recalled that he and his team had “Zero budget, zero expertise and zero mandate.” While Cliff was talking about the 1980s, these three challenges remain.
Hiring good people and building up expertise remain some of the biggest challenges, which is why it’s great to see the focus on skills shortage. The underrepresentation of women in security is a problem that continues to plague the industry, and we’ll be digging deeper into this in Week 2.
However, a lack of diversity extends beyond gender inequality; it includes the need to train individuals from diverse backgrounds. Having a broader range of backgrounds and skills is important in helping teams avoid falling into groupthink and other cognitive biases.
We’ll be publishing blogs on these weekly themes, so stay tuned.