CompTIA just released its State of Cybersecurity 2024 report, looking at the major trends that will be taking place in this critical field over the next 12 months. At a high level, organizations in the six different regions we surveyed are focused on protecting their critical assets and protecting the privacy of their customers’ data, and they’re continuing to build strategies that keep them one step ahead of the bad guys.
The best way to build a strategy is to take a top-down approach. That means building an organizational mindset and developing the processes that will help ensure secure operations. In 2024, that mindset is largely going to be centered on risk management as a way of figuring out where to make cybersecurity investments. From there, cybersecurity will influence a wide range of decision-making, obviously including technology choices but also touching on business operations or personnel activities.
Setting the overall strategy is one thing; actually putting it into practice is another. This is why the next step is to make sure that the right skills are on board. Naturally, most organizations think about dedicated cybersecurity specialists when they consider where they might have skill gaps. Areas such as application security, threat expertise and network security are all high on the wish list when it comes to skills that organizations are trying to build on their cybersecurity teams.
However, these areas also hint at another workforce trend: Cybersecurity skills are important for IT pros in every discipline. Here’s a look at how specialists in each major area of technology should be thinking about cybersecurity:
- IT Support: The workers providing the first line of defense for user questions are also the first line of defense for cybersecurity. Although users typically aren’t going to submit tickets around how to be sure they are behaving securely, IT support specialists need to have basic cybersecurity knowledge so that they are resolving tickets with security in mind. It’s no good resolving an employee’s network access issue if that inadvertently opens a door for hackers to walk through.
- Infrastructure: Most network admins and cloud engineers have a good working knowledge of cybersecurity, especially if they are working in an organization without a dedicated cybersecurity team. As more and more infrastructure moves to the cloud, these pros have to make sure that there are full cybersecurity solutions for the architecture, including any gaps that might not be filled by a cloud provider. In many cases, that will mean having some awareness of areas that might fall outside their expertise, like applications and data.
- Software Development: Application security is the top skill that organizations want to improve for a reason. As the foundational layer of infrastructure is becoming more stable, organizations are focusing more energy on building complex solutions using software and artificial intelligence (AI). This has led to explosive demand for software developers, and these developers need to understand secure coding practices. Since many applications live outside a secure perimeter on cloud systems or mobile devices, software developers need to follow best practices in DevSecOps to make sure their tools and apps have security built in.
- Data: Applications aren’t the only thing that’s moved outside the security perimeter. Data is also traveling further than ever before. Data specialists need to be aware of what controls are present in all three phases—data at rest, data in motion and data in use—and they also need to consider governance policies to ensure that data capture and processing meets any applicable regulatory requirements.
- Cybersecurity: By definition, cybersecurity specialists are always thinking about cybersecurity. The twist for these pros is making sure that cybersecurity efforts line up with organizational objectives. A clear description of costs, benefits and potential impacts is the key input to the risk management process. Cybersecurity pros also need to quantify the work they’re doing. “No systems hacked today” is not going to cut it when asking for more budget or more people.
- Enablement: At a basic level, the most important question that IT project managers and personnel managers can ask is probably, “Have we thought about cybersecurity here?” Simply making sure that cybersecurity is part of the conversation is the best way to make sure it doesn’t get ignored. Beyond that, having some understanding of the details can prevent projects from getting derailed by inadequate cybersecurity measures.
For several years, respondents in CompTIA’s survey said that the top challenge to improved cybersecurity was an organizational belief that cybersecurity was “good enough.” Most places found it very difficult to make investments until there was an incident, and there weren’t enough tools to measure how good the cybersecurity posture actually was.
As the mindset and tools have been improving, a new challenge has risen to the top. In this year’s study, cybersecurity skill gaps are the biggest hurdle to pursuing cutting-edge initiatives. Most organizations will focus on building a robust cybersecurity team, which is a great step. But they can’t ignore how important cybersecurity is for every other technology role – and neither should you.
Read the CompTIA State of Cybersecurity 2024 to learn the many variables that must be considered in balancing the cybersecurity equation.