Don't overlook your biggest security flaw -- your talent

first line of defense
Credit: ThinkStock

What's your best line of defense against cybersecurity threats? Skilled, experienced, highly trained IT talent. Don't skimp on hiring, training and retention, or your business may suffer the consequences.

The IT skills gap isn't as bad as you think -- it's worse, much worse. Especially in the area of cybersecurity, that skills gap is a major threat to your business.

The skills gap all IT organizations struggle with can be summed up in three words: "not enough people," according to author and Wall Street Journal columnist Gary J. Beach (Beach is also publisher emeritus of CIO magazine and CIO.com). But when the skills gap is viewed through the lens of cybersecurity, it becomes much more than an HR struggle to put bodies in seats - it can be dangerous and costly.

CIOs must take advantage of their unique position in the C-suite to drive increased emphasis on security spending, hiring quality talent and furthering education and training for that talent, or risk catastrophe.

Security is a sound investment

The paradox inherent in enterprise security is that if you're doing it right, no one can tell, says Mark Weinstein, founder of social media platform Sgrouples, CEO of MeWe.com and a cybersecurity and privacy expert. According to Weinstein, CIOs must be vigilant about explaining the real risks and threats, and be willing to drive the investments necessary to mitigate them.

"One of the major issues here is that if you're doing security right, you're not necessarily going to see the results. You're not going to get the huge breaches, you're not going to get the highly publicized failures, which you'd assume is a great thing, but that can lead to complacency -- and an unwillingness to invest in skilled talent, preventative technology and education and training to keep organizations secure. So it's all about being able to understand threats, how they're evolving and why, and be proactive about heading them off before they occur," says Weinstein.

That proactive approach must also extend to communicating effectively about the nature of potential and emerging threats and continuing to make security a priority across the entire organization, says Elaine Varelas, Managing Partner of Keystone Associates. That includes realistic assessments of the costs and benefits of a sound security strategy.

"Organizations tend to reward people who save them the most money, but especially in the area of security, they don't always understand at what cost that's being done," Varelas says. Organizations that are security conscious enough to have a chief security officer are often more proactive about security issues, but for those that aren't, the burden often lands on the shoulders of the CIO.

"If you're trying to squeeze out a few extra bucks by hiring cheaper talent, slashing software budgets or eliminating training and education, well, in the short-term you might be rewarded. But someone must be asking the question, loudly, 'Does this increase our risk? At the highest executive level, some CEOs will say, 'Well, that's not my issue, I hired a CIO for that,' but the constant vigilance about security, risk and threats has to be spread across the entire organization, not just on the shoulders of one exec," says Varelas. CIOs must be confident enough to maintain, with the help of the CFO, the financial balancing act of risk-versus-reward so everyone understands how to make the best, most secure decisions.

"CIOs in this position must be able to communicate their beliefs about the level of security that's needed in language everyone can understand. The C-suite, executive boards, managers, entry-level workers all must understand that even if they can't see results of the security strategy immediately, that the strategy is working and the investment is paying off," she says.

Don't ignore education and training

It's not enough to simply invest in hiring security talent, though, there must be adequate resources devoted to keeping that talent on the cutting edge of security and best practices. "Sometimes executives believe that if they've hired a few people, they've solved their vulnerability problem. But it's more complex than that -- landing the talent's only half of the equation. It's about continuing education and training for that talent; defending budgets for conference attendance, educational courses and workshops. What your talent locked down and secured for you last year could be vulnerable this year. It's about more than just salary, it's a continuous investment into the best weapon you've got -- the brains behind the technology," says Weinstein.

Many organizations do understand the need for continuing IT training, especially in the areas of security, compliance and governance skills, but balk when confronted with the costs of such training, according to a survey from Cybrary, a provider of free massive open online courses (MOOCs) for IT and cybersecurity.

The survey asked 405 senior-level technology professionals about their companies' plans for IT training in 2015, according to co-founder Ryan Corey. While 61 percent of respondents said employees in their company need such training and 55 percent predicted an increased need this year and beyond, the survey revealed that most companies plan to spend the same amount of money on IT training for 2015 as they did in 2014.

1 2 Page 1
Survey: State of the CIO 2017. Make your voice heard!
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies