But first we need to take stock. After the initial shock of lockdowns and mass remote working, what have we learnt from the past year as we all attempted to adjust to the new reality?
The widespread shift to cloud to support those working remotely has inadvertently created a much larger attack surface. The sheer number of new locations, devices and networks organisations are managing today alone calls for a security rethink – a need that’s magnified by a year-on-year increase in threats. And the pandemic has magnified the problem, sending a huge wave of email scams, ransomware and brute force attacks to disrupt companies.
High profile incidents have underlined how every organisation needs to look again at their approach to security. The Colonial Pipeline attack demonstrated how evolving ransomware can threaten key infrastructure. Then the SolarWinds incident showed that every organisation must now assume their network has been breached, expecting sophisticated attackers to find a way in and then manage to stay hidden for some time. And the Microsoft Exchange exploits highlighted how easily software vulnerabilities can be an open door for widespread attacks. These attacks also highlight how vulnerabilities exist throughout the supply chain and how much the definition of security perimeters have to change.
It makes sense that, as you rethink your security approach, to ask for more from your security teams. And yet many organisations are turning to a resource that just isn’t there. Across the board, we’re feeling the effects of an emerging skills shortage. Recently, we consulted with over 7,000 business leaders and found that 56% of organisations feel they’re at risk due to cybersecurity staff shortages, and a further 22% are planning to further reduce the size of their security team. Will organisations be able to attract the skills they need to plug the gaps in their defences?
Operating with a skeleton security team might work – if organisations could be confident they have the best available defences. However, the figures tell a different story. Our research uncovered a clear contradiction between how many organisations perceived their security and the reality. We found that 76% rated their IT strategy as ‘excellent’ or ‘good’ at protecting against cybersecurity threats, but that 84% also admitted their organisation had suffered a data loss or security incident in the previous two years.
So what’s the true state of security? It looks like carrying on as they have before isn’t viable, and organisations need to bring in expertise to review their approach and secure their operations. But, interestingly, even though they’re struggling, 60% of companies say they’re uncomfortable outsourcing or using external security providers for support. It looks like their reluctance to give up some level of control could be putting them at unnecessary risk.
The CISO stands at the heart of this conundrum and has the power to lead the organisation through it.
The CISO can’t be swamped by routine security tasks. They need the freedom to take a fresh look at security, identifying gaps and cutting through the noise to focus on what’s really important. Today’s CISO should be drilling down into areas where they can add the most value and helping to drive the transformational projects that will give the business an edge.
To make this a reality, organisations have to be willing to look beyond the confines of their business for support and solutions. Collaboration with a trusted partner is a tried and tested route to freeing up the CISO to truly secure the organisation. But it means organisations have to be prepared to give up some level of control to an external provider.
Now is the perfect opportunity to look again at how you can secure your future. It’s a chance to review your priorities and look at how you can bake-in security to your infrastructure, network, people and processes. Talk to us for expert insight on how you can balance cost with control and reduce risk - without needing to expand your security teams.
