To meet today’s evolving cybersecurity threats, many enterprise leaders will focus on technology, layering tool upon tool and approach upon approach across siloed areas of the business.
For instance, electric utilities serving a collective 56 million customers have either installed tools to better detect cyberattacks or have pledged to do so. In fact, 60% of senior IT and business leaders surveyed plan to increase IT spending, with security as their highest priority, according to Enterprise Strategy Group (ESG).
A robust response is a great start. But tech tools alone don’t stop breaches. Today’s sophisticated hackers are too smart for that.Tanium’s Cyber Hygiene Assessment: An actionable path to better endpoint management and security
After a major security breach, what often goes missing from federal initiatives and the panicked strategies of corporate CEOs is an effort to strengthen two of the most effective weapons in a company’s arsenal: its frontline people and processes.
To harden cyberdefense, it pays to do more than show employees how to establish an incident-response plan or warn them against answering phishing emails. Those are the low-hanging fruit among the many actions leaders should take.
Getting people and processes right requires thinking deeply about the barriers that inhibit the effectiveness of the security professionals companies rely on for their defense. If someone is constantly overwhelmed with security alerts, lacks the right skills, or is blocked by organizational inertia from doing what they need to do, a company won’t stand a chance of defending itself.
To begin to stabilize the first two elements of the three-legged stool of “people, processes, and technology,” companies should focus on action in the following three areas.
After more than a year of heroic efforts to secure their companies following the greatest experiment in remote work in history, security professionals are reaching record levels of burnout. “The human toll of the last year has been tremendous,” Martin Fisher, director of information security and chief information security officer at Northside Hospital in Atlanta, recently told Endpoint. “We are jumpy. Every alert becomes a minor incident-response investigation. That level of effort is exhausting.”
One survey concluded that the average enterprise sees more than 10,000 security alerts daily, with nearly 30% of companies reporting more than 1 million alerts. Compared with the average American worker, security professionals are more than twice as likely to report poor work-life balance and more than three times as likely not to take a full vacation.
An agile workflow process called kanban, adopted by all Toyota plants in 1963, can help security professionals prioritize tasks when things change by the minute. It works by visualizing a team’s workflow so that everyone can see both the team’s priorities and what everyone else on the team is working on.
Too often in many organizations, coders think their brilliance is enough. They just code products until they work, and the rest is some “security professional’s problem.” In contrast, an emerging practice called DevSecOps aims to build bridges between these and other dueling fiefdoms to catch vulnerabilities early by integrating security team members and processes into the software development life cycle.
The human toll of the last year has been tremendous—people are burning out.
One way to bridge the internal divide is to make security a more integral part of the IT development process. Nearly two-thirds of companies today don’t involve security teams at early stages of IT projects, according to EY research. Another way to close that gap, is to adopt “shift left” software testing—prioritizing security testing much earlier in the development cycle rather than bolting it on after the fact. The approach encourages, if not requires, more collaboration between security teams and developers.
Patch the tech talent pipeline
Employment for information security analysts and engineers in the U.S. is projected to grow by 31% from 2019 to 2029, according to the Bureau of Labor Statistics. But the Aspen Institute’s Cybersecurity Group estimates that 500,000 cybersecurity roles in the U.S. alone will go unfilled this year. A California report found that even if every student in an IT-focused college program were to go into cybersecurity, it wouldn’t be enough to fill all the available jobs in the state.
To meet the talent gap, companies must look beyond graduates of four-year engineering and computer science programs. Cybersecurity and IT leaders are calling for employers to embrace “new collar” workers, people who may not have costly four-year college degrees but who possess the foundational skills and natural aptitude for today’s in-demand tech-based jobs. For example, Mastercard helped create the Cybersecurity Talent Initiative, a public-private partnership that places participants—most of whom are women, minorities, or people who have decided to switch professions—into entry-level cybersecurity roles. After two years, they can apply for jobs at one of the program’s corporate partners and get $75,000 in student-loan assistance.
Tanium operates two career-nurturing programs that promote talent and diversity in the workplace. Each year, the company hosts a cohort of the Society of Women Engineers (SWE), a nonprofit educational and service organizationfrom UC Berkeley. The program, which is run from Tanium’s headquarters, gives students the opportunity to shadow Tanium engineers, receive on-the-job coaching, and take part in mock coding interviews. In addition to the real-world experience and contacts it offers students, the program provides Tanium with fresh and diverse perspectives—not to mention enthusiasm—around the technology industry.
In partnership with the Department of Defense, Tanium runs the SkillBridge internship program, which gives U.S. military members job experience during their final months of active duty. Recruits train on Tanium’s platform and work with Tanium’s teams and customers, experiencing creative, out-of-the-box problem-solving in action. Any rank, enlisted or officer, can participate.
Changes in the areas of diversity, public-private partnerships, and “new collar” hires are happening. As they do, companies will improve their defenses in far better ways than a technology tool can provide alone.