There is no sugarcoating the daunting financial realities many organizations will face in the coming years as they dig out from the damage inflicted by the COVID-19 pandemic. Within that challenge, though, are promising opportunities for many organizations to strengthen their security teams.
For years, organizations have been struggling amid a well-documented skills shortage, with many organizations unable to fill open positions with qualified practitioners. ISACA’s State of Cybersecurity 2020 report indicates that 62% say their cybersecurity teams are understaffed and 66% say it is difficult to retain cybersecurity talent.
For many small and medium-sized organizations that do not have the resources to compete with larger organizations, it has been near impossible to attract and retain the security professionals they need to contend with the challenging threat landscape.
Now might be the time to strike. The economy goes in cycles, and much like after the major economic collapse of 2008, many organizations now find themselves in an entirely new reality. At least in the short-term, pandemic-driven economic damage has led to a high volume of job losses from which the security industry will not be untouched. This volatility, while terrible in many respects, can create major opportunity.
There will be many talented security professionals suddenly looking for work. Organizations that are in more stable shape financially should view this as a rare opportunity to scoop up talent that might have been furloughed or laid off. This can be an especially opportune time to find professionals for some of those hard-to-fill roles, such as technically proficient cybersecurity practitioners, data scientists and security professionals with expertise in artificial intelligence.
Organizations would be well-served to look at the positions they have been unable to fill in the last year or two and, if they can afford to do so, move swiftly to revisit those searches.
This unusual period also can be a prime opportunity for organizations to step back and analyze opportunities to improve their security leadership. Experienced, capable CISOs are in especially high demand, and many organizations either cannot find them or cannot afford them. In many cases, that leads to mid-level security practitioners being elevated to CISO roles without the background to truly bring a strategic, holistic skill set to a position that comes with enormous challenges.
For many small and medium organizations, bringing aboard micro-CISOs who can lend high-level expertise part-time is a much more practical and realistic approach, and these individuals might be more willing to consider such opportunities now, given the tumultuous job market.
Organizations that need strong expertise in a specific area – such as AI or cloud security – might be able to find outside contractors or advisors to lend that expertise and strategic vision. This isn’t to say that full-time, in-house CISOs are not valuable. Each organization has different needs, and larger organizations that can afford full-time CISOs should certainly have them, but for many organizations, creative approaches are needed, and pursuing micro-CISOs whose backgrounds match up with an organization’s needs is often the best way to go.
The bottom line is now is the time for organizations to think a little differently. This might be the best time to find solutions to longstanding challenges organizations have with their security teams. The urgency to act should be higher than ever. In ISACA’s recent COVID-19 study, 87 percent of respondents indicated that the rapid shift to work from home increased risk of data privacy and protection issues.
For instance, many remote workers are using their own equipment to connect to the enterprise. Many are using VPNs or remote desktop connections that open potential holes into the enterprise network if the remote worker’s system becomes compromised. Those organizations that have already adopted zero trust architectures are likely to be less susceptible to such attacks.
However, many enterprises are still relying on a network perimeter as a primary protection mechanism, and the increased holes in that perimeter given the growing volume of remote workers represent increased data privacy and protection risk – all the more reason that organizations need to make sure their security teams are as well-resourced as possible for the evolving landscape.
The economic impact from the pandemic is a big and painful challenge, but often when there is a big challenge, there is a corresponding big opportunity. Now might be the best time for many organizations to make significant headway on challenges they have been facing for years.