Breaking the cybersecurity stalemate by investing in people

No surprise, it happened again.

In 2018, the financial toll cyber breaches took on organizations hit $3.86 million, a 6.4 percent rise from 2017. Before last year’s close, analysts at Gartner claimed worldwide spending on infosec products and services would increase 12.4 percent, reaching over $114 billion in 2019. In fact, when the U.S. government announced a 2019 budget of $15 billion for cybersecurity-related activities, it came with a 4.1 percent jump and a caveat: “Due to the sensitive nature of some activities, this amount does not represent the entire cyber budget.”

It all adds up to more damage, more spending. For businesses, it’s a continuation of the same frustrating stalemate – plenty of cybersecurity pains and no gains. Making matters worse, industry-watchers expect unfilled security positions to reach nearly 4 million in just a few years. Yet, it’s in this area that businesses may be overlooking the one way that they can begin to turn the tide.

The problem is, many leaders are not recognizing the value of training, and how the cost-effective investments they make in this realm could make a real difference – now and into the future.

Time, money and training

A study by analysts at Enterprise Strategy Group (ESG) in 2017 showed 25 percent of the cybersecurity pros they surveyed thought a skill shortage was having a big impact on their organizations. Later that same year, further ESG/ISAA research put that figure at nearly 70 percent.

With this skill shortage in mind, cloud-based training of IT staff has become vital. At many enterprises, security teams are distributed across the globe. This makes consistent, regular training imperative. To provide this in person, it would be too costly and time-consuming. Luckily, online training can take place immediately and anywhere there’s an Internet connection, making it the most affordable way to keep skills sharp and protect your company.

Invest in the front line

The ESG/ISAA study points out that nearly two-thirds of organizations don’t provide the training needed to keep up with business and IT risks. In Ponemon Institute’s 2018 Cost of a Data Breach Study, employee training was pointed out as one of most effective ways to decrease the costs of a data breach.

In a previous Help Net Security article, I pointed out the value of hands-on training, which has become even more important over the past year as cyberattacks continue to become more complex and sophisticated. To expand on this, organizations should consider using virtual training labs or cyber ranges, which enable incident response training in safe, sandboxed lab environments that mirror real scenarios; users evaluate situations and try to counter attacks with the best policies and responses.

Still, note that specialized cyber ranges might not be appropriate for all organizations and participants. Many cyber ranges go beyond what IT teams need, delving into advanced tools and techniques needed to protect critical infrastructure like public utilities.

Another consideration is certification programs. Many leaders quickly assume if they provide or fund employee certification programs, they’ll use that accreditation to secure a more lucrative position elsewhere. Executives and leaders must understand there are many opportunities for cybersecurity personnel and this won’t change anytime soon. Showing an employee you’re invested in their career development is not lost on them. This will help retain talent and provide immediate benefits via information sharing with other industry professionals, all while increasing staff motivation.

Other resources often overlooked are your technology suppliers. Many vendors offer programs to certify your employees on their solutions. They make recorded sessions available on-demand, provide virtual labs for hands-on training, and even offer multi-day annual events where they share case studies and more. By enabling your employees to take part regularly, you not only fulfill their desire for advancement, you better protect your infrastructure by assuring employees are skilled on the latest features and best practices for using their tools in your environment.

Heal thyself

In the Ponemon report, 66 percent of participants felt employees were the weakest link in security. They’re right. Employee negligence remains the biggest cybersecurity risk to business. This shouldn’t come as a surprise to anyone in security or IT, but it also shouldn’t be news to employees – they need to know they’re a risk and what they can do about it.

To start, the CISO of a company, as the leading security officer, needs to set the tone – and communications should ripple from that office. All must know this is serious business and procedures must be followed. Conduct regular training sessions, send updates on the latest threats and promote awareness with internal communications. And above all else, the IT team must run security tests; there are plenty of modules available to see if employees will click on malicious threat.

Further, ensure human resources – the function often responsible for employee onboarding – is making this a priority. Get those good habits ingrained from the start.

Invest in your people

According to ESG/ISAA’s study, nearly two-thirds of organizations aren’t providing the training needed to keep up with cybersecurity risks.

You can fly key security staff in for face-to-face training. The costs will be exorbitant, and by the time they make it home, there will be a whole new set of threats to deal with.

You can tell employees what not to do, but if they’re fooled by a new threat, you’ll end up paying a lot higher price than training requires the minute your customers’ data makes its way into the wild.

Want to make headway on cybersecurity? Invest in your people – it’s a sure way to get a strong return on your investment.