By: Mike Gruen, CISO at Cybrary
May 12, 2021
Mind the Gap — The Prescriptive Potential of Targeted Security Training
By: Mike Gruen, CISO at Cybrary
May 12, 2021
There’s a growing disconnect in cyber defense — while recent predictions suggest infosec spending could top 40 percent of corporate budgets in 2021, cyberattacks are also on the rise.
As noted by Forbes, 80 percent of enterprises surveyed say they lack sufficient protection against emerging infosec threats. At the same time, new IBM data shows an uptick in specific attack vectors such as Linux malware, brand spoofing, and ransomware. Add in the security stressors of remote work at scale, and it’s no wonder that organizations across the country are struggling to find a balance between keeping the lights on and keeping the digital wolves at bay.
The result? Security that’s “good enough” isn’t anymore. Businesses need to get ahead — and stay ahead — of evolving risks by taking prescriptive, proactive steps to bolster IT skillsets and boost the impact of infosec operations.
To address the changing landscape of cyberattacks, a risk management approach is critical. Organizations must create teams and tactics focused on minimizing risk wherever possible and avoiding risk wherever practical to reduce the impact of new threats on existing infrastructure.
But this isn’t easy, according to Infosecurity Magazine, more than 40 percent of remote workers are willing to circumvent enterprise security policies to access the applications and services they want, even if this puts businesses at risk. The growing cybersecurity skills gap exacerbates this issue; research firm PWC reports that there are 50 percent fewer qualified candidates in the United States than needed to fill security roles in the United States alone. Combined with the shifting responsibilities of infosec pros to protect both remote and in-house networks in tandem and it’s no surprise that risk is rising.
In practice, this creates a paradox for effective protection. IT and security personnel must find a way to permit the simplest, speediest access possible to staff working both at home and in the office without increasing overall risk — while simultaneously dealing with the growing shortfall of skilled security pros.
Beyond Checking Boxes
To address cybersecurity issues at scale, recent organizational efforts have focused on the notion of “hygiene”, ensuring that everyday policies and practices support the protection of digital assets across the enterprise. This approach typically includes creating robust and repeatable frameworks for operations, including patch and upgrade management, identification and access control, automatic issue detection, and data encryption.
In effect, solid cyber hygiene focuses on checking the most important security boxes by ensuring obvious routes for compromise are blocked and common cybersecurity risks are reduced. But attackers aren’t content with the status quo, as noted by Threat Post, spear-phishing attacks using supposed COVID-19 vaccine information as a lure jumped 26 percent in the last quarter of 2020 and continue to evolve as vaccine efforts ramp up.
The bottom line? Checking boxes isn’t enough; enterprises can’t afford to be caught off-guard if new threat vectors emerge.
Getting Ahead of the Game
So how do companies get ahead of the game to secure key assets and reduce total risk, even with infosec teams stretched thin? Here, three components are critical:
- Improved skills visibility
Not every infosec team member has the same skillset. As a result, skills visibility is key to ensure the right people receive the right training at the right time. For example, while there’s no reason for an experienced security professional to retake an introductory certification course like CompTIA Security+, the same training is massively beneficial for less experienced IT staff making the transition to security. As a result, solutions that provide skills visibility are critical to helping identify proactive paths forward.
- Targeted team training
This ties into the next critical component for security success: Targeted training. Armed with skills, visibility, and knowledge of common attack vectors, companies can prioritize training types and timelines, from advanced ethical hacking courses to in-depth cloud security programs. Targeted team training frameworks help improve defensive coverage.
- Prescriptive protection practices
Last but not least? Companies need to prioritize skills and training that empower staff to address potential issues prescriptively. This includes knowledge of current compromise practices, such as evolving phishing threats or ransomware vectors — paired with the skills necessary to detect and deflect these attacks before they damage key systems.
Closing the Gap
Security threats and cyber skills gaps are growing simultaneously, forcing many enterprises into risky and reactive infosec frameworks that focus on keeping the lights on rather than keeping the doors locked. Paired with the rapid uptake of cloud and mobile services to support remote work at scale, this comes as no surprise, but puts companies in harm’s way as attackers evolve their approach, and new threat vectors emerge.
To reduce total risk, proactive protection is critical. And while it may not be possible to bolster technology teams with bigger staffing numbers, burgeoning budgetary trends can help improve enterprise infosec with investment in next-generation tools that help identify skill gaps. Prioritizing targeted training and empower teams to predict, and protect against, evolving attacker efforts proactively.