The booms rustled me from my sleep, and the resulting shockwaves communicated something bad was happening. I immediately sat up in bed, conducted a quick self-assessment, and made sure my CHU (containerized housing unit) mate, and I were not injured. My second combat tour in Iraq and rarely did bombings or mortar attacks disturb me any longer. They had become a fact of life and when they happened (not if they happened) if you were alive at the end you only continued operations; it was just another day at the office.
This particular incident seemed unusually disturbing and subsequently I got up out of bed and decided to see if my F.O.B. (Forward Operating Base) had been hit. After a quick perusal outside I determined that everything was OK and went back to sleep. All this happened in a matter of fact manner that suggested I had become desensitized to the realities of war.
I believe the same is true of our information security personnel. The realities of cyber attack (when not if) coupled with understaffed information security departments, and sensory overload of our staff are contributing factors. Each of these factors contributes to what I call the groundhog day mindset. In other words, we spend our time going through the motions because we have given up hope that we can make a substantive impact. Not that we don't want to, but we are overwhelmed and overworked; we have defaulted into survival mode.
Once we have entered into survival mode only the most evident and extreme events, awaken us from our malaise. By this time the attacker has been within our systems, an average of six months and has begun exfiltrating data from our systems. Desensitization could cost U.S. companies on average $6.5 million. The writing on the wall is crystal clear. Our security strategies have to address the problems that overwhelm our teams and lead to desensitization.
Problem 1: The staffing shortage
According to a 2014 study published by Ponemon 70 percent of respondents said their information security department was understaffed. The study also indicates 40 percent of IT security jobs will remain unfilled in 2015 alone with 49 percent of supervisory roles. Overall the headcount within our security department is steadily increasing but demand still far exceeds supply.
Information security leaders need to start looking within their ranks to grow security professionals. Recently, I listened to a CISO discuss how his accounting firm overcame these challenges. They sought out accountants with an aptitude for information security and provided them with training. The program has experienced outstanding results. After all, who understands our businesses better than the professionals within the organization. If you want to strengthen your security strategy, seek talent from within and provide training.
Problem 2: Biting off more than we can chew
Our enterprise infrastructures did not become insecure overnight. In all likelihood, it happened over a period of years. Our insecurity built up over time and very likely has only come to light in the recent past. Our IT staffs are often very competent but without security professionals who understand the unique business processes of the organization (and who can communicate with business executives) it is hard to implement adequate controls. Subsequently, we often prioritize operations and relegate security to the back burner. Now we have discovered the error of our ways and we're in a hurry to secure our networks.
Our networks are insecure because of choices we made (or didn't make) over a period. Likewise, it will take time to nurse our security posture back to health. It will require a concerted effort from all stakeholders within the organization, and the project must be championed by senior executives. To avoid overwhelming our staffs we need to break down our project into smaller projects. The Center for Internet Security’s 20 Critical Security Controls offers a prioritized method for slowly but surely securing our networks.
The role of talent management cannot be underestimated. We have only begun to scratch the surface and dive down into one of the most critical issues affecting the security of our enterprises, desensitization. Please join me over the next six weeks as we dive deeper into this issue and learn how we can solve this nagging problem.
This article is published as part of the IDG Contributor Network. Want to Join?