A lot has been said…and written on this blog… about cyber-crime and the threat that is poses in today’s society. But are we looking at the root cause of the issue? If we keep on complaining about it and not taking active steps to manage the process, are we merely paying lip service?
I recently read an article on infosecurity-magazine.com which discusses a new approach to identifying and combatting cybercrime.
Paths of least resistance
The article points out that cyber-crime is like water, the criminals find the path of least resistance. The risk is growing, everyone knows it, and everyone knows that cybersecurity diligence is just one of the costs of doing business. However, it’s interesting to watch how the cost of managing risk is becoming more of an investment than an expense.
A company’s customers, its supply chains, its vendors, even its potential merger and acquisition partners, are now calculating the cybersecurity profile of a company before deciding to work with that company. Cybersecurity has evolved to become an elemental business component that grows revenue and opens doors for market expansion.
The article adds that Cybersecurity has worked its way so deeply into the core of our collective business imperatives that enterprise valuation, investment opportunity, customer acquisition, and other critical goals depend on a company’s ability to demonstrate cyber health and resiliency.
Who’s managing risk?
It isn’t only what they are doing with security, who is making the decisions is shifting as well. While it may be common knowledge that CISOs, CEOs, and even boards of directors are getting involved in cyber decisions, the security buyer has also moved laterally in the organization.
The article points out that business units are increasingly getting in the game: product leaders (who own the P&L of the product or service) are making key choices on compliance frameworks, security testing activities, and vendor selections to better enable the success of their products in a security-conscious market. Cloud migration strategies have also changed the mix of today’s security initiatives and compliance activities, affecting the decisions these professionals make.
Demonstrating cybersecurity strength and integrity.
The article adds that, whether a company offers products or services, security is becoming a necessity and, often, a contractual requirement. Where once the time and costs of cybersecurity were considered unfortunate drains on business resources with negative impacts on the bottom line, proof of cyber stature is now a revenue enabler in numerous ways.
• New market requirement: We are seeing many cases where markets or nations require proof of cybersecurity rigor before they will consider purchasing a product or solution. For example, the federal government is the largest consumer of cloud services, and any provider wishing to serve this market must comply with the Federal Risk and Management Program (FedRAMP) and/or other frameworks to tap into this massive opportunity.
The article points out that, according to recent research, 33% more cloud solutions were approved for government use in 2018 than the previous year, demonstrating that providers are embracing the compliance path to opportunity. Hardware manufacturers in some nations may need to prove their products are free of cyber vulnerabilities before entering new national markets by undergoing penetration testing or other security testing processes.
Some companies can open new markets through partnerships with third-party solutions providers—but third-party risk management becomes a needed part of the security strategy. Additionally, international markets are more accessible with proof of compliance with frameworks such as ISO;
- Contractual requirement: Customers no longer assume a product or service is secure; many demand proof within their contract terms. Examples include: a large university medical center being required to conduct penetration testing, or they will lose NIH funding; a large telecommunication company being required to comply with NIST to secure a GSA Enterprise Infrastructure Solutions contract; and countless cloud service providers securing government contracts with the provision that they obtain FedRAMP Authorities to Operate or other framework demonstrations;
- Investment and M&A requirement: Cybersecurity risk has become intrinsic to a company’s valuation. For investment or M&A activities, evaluating a company’s cybersecurity posture is essential due diligence, as risk can be—and has been—inherited and put deals and their prices at risk. This is a tale that a prominent web services provider and retailer know only too intimately: News stories have recounted cautionary tales of acquisition prices plummeting many millions of dollars after unfortunately timed breach disclosures, or an acquiring company being embarrassed by a breach disclosure of their recently acquired asset;
- Secure solutions requirement: Because today’s savvy customer expects that solutions be secure, more companies are building security and compliance alignment into their solutions early, rather than waiting for a customer to demand it at signing;
- A prime example can be found in cloud solutions: while significant opportunity exists in the cloud market (Gartner predicts up to a trillion dollars of spend will be directly or indirectly affected by the cloud over the next five years), security is still a top concern. To get ahead of the concern, 80% of our business comprises service providers requesting assessment of their products and/or designs to build cybersecurity into the product, proactively meeting market security demands;
- Brand protection requirement: Security incidents and publicly exposed vulnerabilities can damage a brand and hamper future revenue streams. Many organizations are taking significant security measures beyond compliance to defend against security incidents. Examples include: helping a customer ensure a competitor can’t hack their unrevealed fashion line before release; penetration testing automobiles to search for potentially brand-damaging vulnerabilities before an incident can occur; conducting comprehensive security testing of a medical device manufacturer’s physical location to ensure physical security gaps won’t lead to malware implants that can affect the hospital user base.
Refreshing to see.
The article points out that, as a security professional, it’s refreshing to see something so critical finally being embraced as a core business function that drives business forward. As we enter a new decade, cybersecurity has emerged as a top-line, revenue-generating component enabling expansion and growth into new markets.
Organizations are encouraged to make the best use of their security stature and promote their investments to help gain competitive advantage – and to ultimately make positive impacts on their bottom lines.
A widening gap.
Winning the cyber-security war is about more than tech. there is a human element that is involved as well. And unfortunately, there is a significant skills gap in this area. We have already published blogs about the widening skills gap in the US and in the UK. Asia is another region that is falling prey to this.
The article points out that research released this year by Microsoft and the global research firm Frost & Sullivan has found that more than half – 51 percent — of companies in the Asia Pacific region have either experienced a cybersecurity incident or are not even sure if they have had a cybersecurity incident. They are paying for it in the form of stolen information and money.
Not only have these episodes cost these companies dearly, they are also hurting productivity: nearly three in five – 59 percent — have delayed the progress of digital transformation projects due to the fear of cyberattacks.
The article adds that it might not be of much comfort to the companies affected, but separate research has also found that most of these cybersecurity incidents could have easily been prevented. Research by the Online Trust Alliance calculated that in 2018, 95 percent of all breaches could have been avoided through simple and common-sense approaches to improving security.
This raises a simple question: if so many of these attacks could have been prevented, why weren’t they? There is a simple answer: there are nowhere near enough qualified, experienced cybersecurity workers in Asia.
The skills gap.
The article points out that this cybersecurity skills gap is not just a problem for Asia. Far from it. New research by the international, nonprofit membership association ISC2 estimates that there are currently almost 3 million unfilled vacancies in the cybersecurity sector and that all regions of the world are affected. Though the EU is leading the world in cybersecurity, it still lacks 142,000 trained professionals.
The cybersecurity skills gap in Asia, though, is on a different scale. The Asia-Pacific region, partly due to the rapid increase in the use of web technologies in the region, has (by far) the biggest gap. At the beginning of 2019, it was estimated that Asia needs 2.14 million extra cybersecurity workers.
The article adds that those in the industry are aware of this shortage. In the same research, fewer than a third of companies – 28 percent – have what respondents consider the right amount of cybersecurity staffing. That could soon change since 48 percent of the organizations plan to hire more cybersecurity professionals in the next year or so. Still, almost as many – 39 percent – expect to see no change in cybersecurity staffing, with 5 percent actually expected to experience a reduction.
Why the gap?
The article points out that there are a number of key reasons for the current skills gap in cybersecurity. The first is simply that companies in Asia are facing a hugely increased threat level. This, in turn, is due to a number of underlying factors.
One of these is that as the region develops, hackers have seen an opportunity to steal money and data. The second is that as IT infrastructure develops companies in Asia are turning to practices that expose them to risk. Remote working in the region – either for companies based in Asia or for workers visiting from abroad – is a huge source of risk unless employees use a quality VPN service to protect themselves, and take some basic steps to stay safe, especially when working remotely.
The article adds that the second reason for the skills gap relates to morale. It is not uncommon for cybersecurity conferences to now feature dedicated streams which discuss how to handle work stress, depression, and burn-out. In fact, the demands put on those staff who are properly trained has led to a vicious cycle: companies are putting huge expectations on the small security staff, who then become overworked and quit the profession, which increases the workload on those who stay.
The third reason for the skills gap is undoubtedly a financial one. Though companies in Asia have begun to prioritize budgets for security, they are lagging behind the world when it comes to this. Research has shown that while 49 percent of companies say cybersecurity is a budget priority, 60 percent said it should be a higher priority. In addition, 55 percent of organizations expect to boost their budgets in the next year but 70 percent of respondents said the increase will not be enough.
In this context, it’s not surprising that Asian graduates in cybersecurity are looking elsewhere for good employment prospects.
What can be done?
The article points out that different companies and governments are taking different approaches to deal with this skills gap, though on such a huge and diverse continent it is difficult to see any integrated approach emerging.
Some countries have taken matters into their own hands. Vietnam has recently introduced draconian cybersecurity laws which, the government says, are designed to protect citizens and businesses from cyber threats. The rise of social media in Cambodia has also forced the government there to consider state-level legislation.
The article adds that critics of these approaches point out, however, that these laws do not protect businesses from the most advanced threats, and can also be used by the government to collect and seize commercial data, a concern that was at the heart of the recent Huawei scandal. Companies in Asia might have to take matters into their own hands. Recent research has shown that companies in Asia are exploring two ways to increase their defenses in the absence of trained engineers.
One is the use of threat analysis software. This software can automate threat detection and response and can allow one cybersecurity professionals to do the work of many. The other recent advance is artificial intelligence. Research has shown that more than 80 percent of businesses in the US are “already seeing a difference” from using AI and machine learning technologies as part of their security strategy and that such technologies could even be indispensable to an organization’s ability to detect advanced threats.
A long-term solution.
The article points out that these solutions might work in the short term, but it’s also apparent that the cybersecurity skills gap is not going away anytime soon. Instead, we will need to train more cybersecurity workers to provide a sustainable solution to the problem.
If, in short, Asian countries are serious about leading the world when it comes to technology, they will also need to lead the world when it comes to cybersecurity.