CompTIA’s cybersecurity research over the past several years has featured a consistent but misleading data point. Companies regularly report that security is a high priority, one that is rising over time. The reasonable assumption is that companies are building strategies to address this priority, and that is where the data point is misleading. Given the historic mindset around security – namely, no news is good news – businesses are having a hard time defining proper investments in this critical space.
Our most recent security study, The Evolution of Security Skills, dives into specific steps that organizations can take to build an appropriate posture in today’s digital environment. All of these steps are rooted in an important shift taking place among security teams: Rather than focusing on prevention, where the goal is to keep any attacks from breaching corporate systems, the focus has become proactive detection, where the assumption is that no defense is perfect and constant vigilance is required. Here are five actions that IT pros and security providers should consider when developing a modern cybersecurity approach.
Agree on a definition of good security. Only 21 percent of companies in CompTIA’s survey rate the security at their company as completely satisfactory. Clearly there is room for improvement, but the question is how to determine where the gaps exist. Technical experts may have a good understanding of potential pitfalls, but business unit employees may only have a gut feel that things are not as they should be. In a new corporate setting where these different groups collaborate more than ever on technology strategy, a common definition of secure practices is a crucial first step.
Find the appropriate triggers for changing security. Having security as a high organizational priority is not enough to ensure that things are being done correctly. Too often, businesses assume that the absence of catastrophe indicates adequate security. Instead, decision makers must be educated on the correlation between IT architecture changes and security vulnerabilities. Seventy-one percent of companies say that cloud implementations have received higher security focus over the past two years, as many firms aggressively pursued cloud initiatives without updating their security tools and tactics.
Understand the breadth of the threat landscape. Most businesses understand that they want to protect against viruses and malware. These threats have been around for a long time and they continue to be a challenge since they are constantly changing. However, the variety of cyberattacks has grown exponentially. Defending against social engineering is different from defending against malware. Companies show a tendency to place more weight on those threats that are the most familiar – 64 percent believe they are likely to be affected by viruses, but just 24 percent believe they are likely to be affected by denial of service. Given the increased reliance on Internet presence, DoS and other new attack formats are growing threats that need their own mitigation strategies.
Build the appropriate technical skills. CompTIA’s Functional IT Framework identified security as a standalone IT discipline, emerging from the infrastructure function that has been the mainstay for IT operations. One of the main reasons that security is becoming its own specialty is the three-pronged nature of a modern security approach. Companies still have to build technical proficiency—especially in the area of security analytics—but they also need to build competency around secure process (such as compliance management) and workforce education.
Explore training to address security literacy. Workforce education needs to address the most common cause of security incidents – end user error. As technology becomes a useful tool for the entire workforce and employees introduce concepts learned from consumer technology, it becomes clear that technology literacy has outpaced security literacy. Companies see a need to improve their efforts around security training, focusing on foundational concepts such as password practices or proper response to potential attacks and developing metrics to ensure that training is effective.
It should be clear that a proactive approach to security is significantly more complicated than a typical defensive stance. This means that the investment will likely be more substantial. In order to secure the funds and bandwidth needed for modern security, IT pros and security providers need to position security as a business objective, clearly describing the potential costs and tradeoffs. In a digital economy, companies that wait for a security incident before changing their approach run the risk of that security incident putting them out of business.