Why an Internal Cybersecurity Team Isn’t Enough to Keep You Safe

NOV 13, 2018

The number of cybersecurity breaches is on the rise in the Unites States with 668 data breaches reported for H1 2018 exposing over 22 Million records according to Statista.  And  total costs are up 6.4% over the previous year to $3.86 million per IBM/Ponemon Study.  Criminals are becoming more persistent and inventive, adding new methods such as crypto-jacking to their arsenal.  Cyber criminals are morphing their tactics and strategies to create new, highly profitable revenue streams to the detriment of many businesses.  Most organizations’ internal IT resources are ill-equipped to combat new and ongoing threats.

A common problem is that teams are stretched thin  making it nearly impossible to perform anything beyond their daily security functions.  In fact, internal resources are rarely dedicated specifically to cybersecurity or provided the needed training to proactively remain aware of new attack vectors and techniques.  Instead, security responsibilities are divided amongst several team member’s jobs, making 24/7, 365 days-per-year coverage a near impossibility, leaving the door wide open for attackers.  Of course, there are security tools available.  But most are expensive and hard to integrate, requiring dedicated resources to review, maintain, and remain up-to-date.

For information security professionals, there are no shortage of vulnerabilities to address. Current evidence shows that  attackers are far from complacent.  Yet, despite this risk, many business leaders remain hesitant about outsourcing their IT security, preferring to rely on their internal resources.   As experienced security professionals, we might be a bit biased on the topic, but we strongly believe that for most organizations, an internal cybersecurity team isn’t enough.  Start by asking yourself the following questions:

Do I have the right personnel?

Augmenting your IT security team will be challenging.  According to a recent survey by industry thinktank ISACA, cybersecurity staffing problems persist, since the available workforce lacks the critical skills needed.  The survey reveals that nearly 59 percent of information security professionals report unfilled cyber/information security positions within their organization specifically due to the skills gap.  451 Research also reported that businesses are facing moderate to high difficulty when it comes to finding the right security talent.

For example, you likely have IT and/or information security staff with a wide range of industry experience and certifications.   However, the challenge is leveraging that knowledge, talent and expertise in the right places/roles where they are the most effective, the most challenged and the most cohesive.

Be sure to ask yourself:  Which members of my team would prefer to be involved in the learning/understanding of the hacking mentality?  Which team members can focus on regulatory compliance such as PCI, ISO or NIST?  Which ones would be best to focus on new technologies such as Cloud?  What about resources to monitor current systems to address attack incidents?  What about a resource to work with the business to help the business improve to prevent successful attacks?  And finally, do we have the right security leadership to manage all of this?

 

Do I have ENOUGH qualified staff that can cope with the day-to-day, manage new projects, AND keep us safe from threats?

Depending on the size, composition, and needs of your organization, you may have a variety of security engineers and/or architects on your team.  However, new industry studies concur that the idea of having a few people who can do a little bit of everything just isn’t effective.

This year’s Black Hat survey of attendees identified one recurring underlying cause: insufficient security staff. In the 315-sample-size study, 65% of attendees noted they don’t have enough security staff to defend against current threats; 12% of those described themselves as completely underwater; and 5% said ‘what staff’?  This coincides closely with 451 Research’s Voice of the Enterprise study of Organizational Dynamics in Information Security, where 67% of participants noted their organization was facing a skills shortage in security, and 48% of large organizations noted significant difficulty hiring security personnel.

Budgets can also play a role.  Quite often, management will hire less costly IT professionals with the expectation that they also ‘cover’ InfoSecurity.  Yet, information security is not one-line item, but a multi-layered, specialized list of critical security components (offensive security/defensive security/cloud/monitoring/regulatory compliance/intrusions/incident response/endpoint/malware).

Can we afford the expense?

While everyone can agree on the need for IT and some Security teams are hindered by a common corporate psychology that cybersecurity is a cost center and a drain on resources.  Fortunately, perceptions are changing from ‘IT as a cost center’ to ‘IT as a profit center.’  The right security and risk management approaches drive profitability, sustainability, and operational excellence for the enterprise.

As threats change and become more sophisticated, more specialized skills are required to protect an organization.  It’s no longer enough for management to expect and rely upon their IT staff to manage their information security needs.  Instead, IT departments are responding to this need for a wide variety of specialized skills by outsourcing to qualified and certified security experts such as Trace3.  With a combined 80+ years of IT security expertise, our dedicated team works to identify and address risks early, deploy your IT resources efficiently, and protect your environment and data prudently. We apply the industry’s most forward-thinking solutions to revitalize your cyber-security program, and operate from a platform that enables you to take the risks you need to profit and grow.

Leave a Reply

Your email address will not be published. Required fields are marked *