Selection of resources that help CISOs keep up with the rapidly evolving cybersecurity landscape.
This is not an easy question to answer and one that many CISOs, CIOs and CSOs struggle with. The fact that you need an IT security program is well understood now by most companies’ leadership teams. CISOs are no longer getting the same pushback that they used to face when proposing new IT security programs but they are still going to be challenged to justify their approach to addressing cybersecurity threats.
In a perfect world, I’d be a big proponent of building your own team of IT security experts that intimately know your environment and your business goals and challenges and who can fully align with your IT ops team to mount the best fortress around your data and business applications.
That perfect world picture is often faced with the reality of the industry that we’re in and the market conditions that surround us.
The Challenges of Finding the Dream Team
- The first challenge that makes it hard for CISOs to hire their dream team is finding that team in the first place. Even as a specialized Managed Security Service Provider (MSSP), we at Hitachi Systems Security also feel that challenge. Let’s face it: there is a cybersecurity talent shortage, there are simply not enough IT security specialists to address the demand out there.
Globally, for every 40 open positions in the industry, there is one qualified resource. So if you’re a new graduate in IT reading this blog, stop right now and go get your CISSP. You can find more information about it here.
- If, as an employer, you do find those qualified employees then you have to be able to keep them. The scarcity of resources in the industry is making it very hard to retain employees as they are poached all the time and unless you are working for Morgan Stanley or some other company of that caliber it has become very hard to hold on to these resources. You find them, you hire them, you train them and they end up leaving for a higher paid job, leaving you with having to restart all over again.
- The next challenge if you get to hold on to that team is to keep up with the latest cybersecurity threats. Our industry is probably the most dynamic in all of IT. Threats are in constant evolution and the complexity of cyberattacks increases very rapidly. Regular training and certification can also be a challenge when you need that same team to focus on defending your environment.
Solving by Outsourcing
To avoid the above challenges, CISOs are turning over to MSSPs to outsource some of their security operations to allow them to mount a reasonable defense against cybersecurity threats. But that also comes with its own host of challenges:
- First and foremost you need to answer the question of whether you can trust that provider or not with your most confidential data, an issue which I’ll try to address in a future blog post.
- The second criterion that you need to seriously consider is how could an external entity align with your internal goals both on the business and the operational levels?
If your provider can positively answer these two questions, then you are onto something.
To find out whether you really need an MSSP, download this free checklist.
Regardless of the approach that you will take, it’s worthwhile to have an external field expert or a trusted advisor onboard with you that you can consult with from time to time to validate your or your service provider’s approach and make sure your blind spots are well covered.