Despite a raft of new partnerships to bolster Australia’s base of cybersecurity skills, small companies will struggle to get enough staff to keep up with cybersecurity threats and should invest in cloud-based technologies to compensate, the head of a global IT governance organisation has warned.
High-level efforts to reinforce mechanisms for cybersecurity skills development – including the federal government’s new Cyber Engagement Strategy and a joint effort among the Victorian government, Deakin University, Dimension Data, ANZ and NAB announced today – promised to boost overall numbers of experts but small businesses will, ISACA CEO Matt Loeb CSO Australia, struggle to benefit from them.
Large organisations have already snapped up a sizeable portion of the cybersecurity expertise available in the market, Loeb explained, and “the resources become incredibly constrained as you go down the food chain. Multinationals and large companies can look at solving these issues top down, but smaller companies have to work bottom up.”
That process can be challenging in small companies where often-overtaxed staff have little clarity around the extent of their data assets, their exposure to data breaches, or even fundamental cybersecurity practices such as patching and privileged-account management.
New figures in the IDG Enterprise Security Priorities Survey suggested that small and medium enterprises (SMEs) are struggling to develop cybersecurity governance structures, with large businesses three times as likely as SMEs to have a formal CSO or CISO.
Yahoo showed the consequences of such a lack of visibility writ large this week as it revised the extent of its high-profile data breach – which costed it $US350m ($A440m) as acquirer Verizon Communications downgraded its acquisition offer in February – to indicate that all 3 billion of its users, rather than the 1 billion previously reported, had been compromised.
Also demonstrating the potential effect of a poor cybersecurity posture was the breach of Equifax, which has become a worst-case scenario in exploitation of sensitive data and, Gartner director of technology research & advisory John Wheeler has predicted, will lead to the company’s eventual bankruptcy and acquisition.
If such large companies still can’t get enough skilled professionals to get security right, small businesses have little hope of doing much better – and Loeb believes they should find other ways to fill the gap. Cloud services, in particular, offer organisations of any size a faster on-ramp to gain the capabilities that they might otherwise have hired specialists to deploy and manage.
“Especially when you get down to the small businesses, I don’t think it’s reasonable to expect that they will be competing for cybersecurity staff”, he explained. “Small and medium businesses should be getting themselves into the cloud ASAP because these services are coupled – and can relieve much of the staffing burden that SMEs need to worry about.”
A growing body of evidence suggests that Australian SMEs continue to delude themselves about their cybersecurity readiness. MYOB’s September SME Snapshot, for one, found that 87 percent of surveyed Australian businesses consider themselves safe from cybersecurity incidents because they have antivirus software installed. Just 13 percent said they had a cybersecurity plan.
Those laissez-faire attitudes are at odds with the potential damage to SMEs from a cybersecurity breach: a recent Osterman Research-Malwarebytes report suggested that 22 percent of Australian SMEs had shut their doors after being paralysed by a ransomware attack.
Many organisations are still struggling to paint executives a compelling enough picture of the potential damage from cybersecurity problems: recent figures from a Ponemon Institute-Centrify survey of chief marketing officers, IT executives and consumers found that 86 percent of CMOs believe the biggest cost of a security incident is loss of brand value.
These systemic mismatches between perception and reality highlight the need for IT leaders to quickly improve their cybersecurity capabilities through means other than conventional hiring of staff. This is often made even harder, Loeb said because “many organisations don’t have good foundations for technology or governance embedded”.
“There’s actually no means of measuring the resilience of a company that could be defined as a universal consensus model,” he explained. “I’ve been around information products for the better part of my 30-plus year career and have never seen indicators that say ‘this is exactly what we need’.”
ISACA will next year seek to address this deficiency by releasing a cybersecurity assessment model, building on its 2016 acquisition of software process improvement process pioneer CMMI Institute, that will adapt Capabilities Management Model (CMM) disciplines to give companies a way of evaluating their cybersecurity maturity.
A formal five-level maturity model will help CISOs frame discussions about cybersecurity by highlighting to executives just how good or bad their existing arrangements are – and strengthen the case for moving quickly by adopting cloud-based security services to plug the gaps.