The growth of the remote workforce is straining efforts to protect data as companies struggle to find professionals with the skills and expertise to secure enterprise systems and networks.
Competition for talent grew in 2021 from a year earlier, leaving many companies with short-staffed privacy teams. That’s according to ISACA’s newly released Privacy in Practice 2022, a survey of 832 constituents with certified cybersecurity or privacy backgrounds.
Worse, the demand for talent is expected to grow this year as more boards of directors express support for tighter security, the global IT association said in its report, released today and timed for this year’s Data Privacy Day on Jan. 28.
More than half of those surveyed (55%) by ISACA, the Information Systems Audit and Control Association, say they don’t have enough technical workers. Some 46% say they lack legal and compliance expertise. Hiring has slowed because of a razor-thin talent pool. Half the technical job applicants don’t have knowledge of frameworks or controls. Others simply don’t have enough technical expertise.
“A lot more is being asked of the privacy teams, which are under the spotlight in different ways than before,” says Safia Kazi, a privacy professional practice adviser at ISACA who led the development of the survey. And while the lack of available talent is the No. 1 reason for staff shortages, close behind is the lack of awareness shown by some companies regarding the issue.
What they don’t know is hurting them
One in five respondents to the ISACA survey, which included legal and compliance teams also suffering from a talent shortage, said they didn’t even know if they’d had a privacy breach in the past 12 months. That is particularly surprising, as well as alarming, given the wide range of high-profile criminal cyber attacks that occurred in 2021. “It is fascinating that they have no clue,” Kazi says. “They may not be doing the appropriate monitoring.”
Or any monitoring at all, says Rebecca Herold, CEO of the Privacy & Security Brainiacs consultancy. Herold says many organizations haven’t completely identified their networks and databases, or the personal devices their employees use when working remotely. Some companies, she adds, also don’t know what data they’ve entrusted to third-party providers or what steps those providers are taking to keep the data secure.
“There are so many places where data resides that a company may not know about,” Herold says. “That makes proper risk assessments very difficult.”
That’s why the first thing cybersecurity experts recommend is a complete discovery and inventory of an enterprise’s hardware and software, as well as a full catalogue of who has access to what data and where the data flows. The inventory enables a company to install basic cyber hygiene practices aimed at staving off cybercriminals, nation;state hackers, and hacktivists.
There are so many places where data resides that a company may not know about. That makes risk assessments very difficult.
To fill the talent gap, almost half the companies in the survey say they are training non-privacy staff to move into privacy roles. One benefit: Those workers have a more intimate knowledge of a company and how it works. About a third of the companies in the survey say they are turning to outside contractors or cybersecurity and data privacy consultants, who can bring in up-to-date tools and expertise to upgrade a company’s security faster.
Educate workers on cybersecurity and data privacy issues
Bringing in outside help works best if the outsiders also educate in-house workers on how best to secure data, Herold says. That also means that a one-and-done upgrade isn’t enough. Herold says too many business and tech leaders tell her their networks are secure because they ran a monitoring tool once. Once is not enough. Monitoring needs to be continuous.
In the long term, education must be a top priority. And not just when workers arrive at work. Data privacy should be taught in school, says Herold, because children are carrying around smartphones. Teach them to use those devices safely, she says, and “you will have a population that is coming into the workforce aware of data privacy.”
Kazi agrees, saying early education would make the privacy profession more attractive to young people entering the workforce.
The good news is that the likelihood of privacy budgets being reduced is low, according to the survey.
“It is much more of an imperative for companies,” Kazi says. “We’ve seen the clear harm of breaches, how people’s lives can be ruined.”