How to reduce the security debt and future-proof your security team, IT News, ET CIO | #cybersecurity | #cyberattack

By Vishal Salvi

The need for cybersecurity talent has grown 3.5 times from 1 million in 2013 to 3.5 million in 2021. There is a severe shortfall of right talent and if this trend continues, we will have anything between 2 to 3 million unfilled cybersecurity positions globally by 2025. This is an untenable situation, and something needs to be done to curb this imbalance. This has not only led to a significant rise in the cybersecurity professional’s compensation, but also to higher attrition.

Cybersecurity domain has, for a long period of time, remained complex and highly technical. There are a number or domains and subdomains, multiple information risk management frameworks, innumerable standards,and regulations and to top it all up, thousands of security tools and technologies. It’s impractical to expect one analyst or architect to master more than 2/3 Cyber security domains in their career.However, we continue to operate in a world where there is a huge diversity of technologies that are being adopted and deployed across enterprises. This is causing a severe imbalance between the demand and supply, and the unfortunate outcome of this is poor quality of deployment and inability to extract full value from the cybersecurity solutions deployed.

While we need to fix the talent gap, a concentrated effort on capacity building is equally important.As an industry, we must aim to reduce the complexity and diversity of tools and technologies being used. One of the biggest challengesis that software vendors and the startups are incentivized to develop new solutions and patches to solve the current problems instead of building these functionalities with the existing solution i.e., adopting a built-in v/s a bolt-in approach. Any solution developed should be measured on the value it is eventually delivering instead of the theoretical capabilities and functionalities. Analyst should not measure success of the technology just by the number of deployments and revenues but by consumption and number of threats prevented. Once we start doing this, there will be a pressure to help create solutions which are simple to deploy and provide quick time to value.

It is essentialto simplify the value delivery of cybersecurity architecture and remove the entry barrier to this profession. Future solutions should be pre-engineered, built with security by default and should not require too many customizations. There should be a team of cybersecurity professionals who are fully trained to operate these platforms efficiently and effectively. Investing time and money in cybersecurity education and training is vital towards creating a workforce that comprises of cyber skilled professionals as well as cyber-aware employees. The future should be cloud enabled security as a service and delivered through cloud-enabled platforms. This can be done by a joint effort from the security software product vendors and the managed security services providers that will allow the CISO teams to focus on their core role of business engagement as well as organization risk &change management. Just like how data centers are now rapidly moving to cloud, the on-prem security architecture or the hybrid models should migrate to platform driven security as a service.

Today because of challenges such as complexity of security architecture, scarcity of cybersecurity talent and continuous change to the digital landscape, we are adding a significant amount of security debt into the ecosystem. This security debt is manifesting in the rise of the cyber-crime and breaches. To curb this, following needs to be done:

  1. Simplify the enterprise cybersecurity architecture so that the entry barrier to this profession can be reduced
  2. Consolidate and build as-a-service platforms which are ready to use, sentient and provide quick time to value
  3. Implement security-by-design approach in everything that we do in cybersecurity. Retrofitting security is not only expensive but also very porous
  4. Implement hyper automation so to remove dependency on cybersecurity talent. More focus should be spent on engineering and automating cybersecurity processes and systems
  5. Capacity building and training people from different backgrounds to run the cybersecurity playbooks

If the industry implements the above 5-point agenda at scale, it will go a long way in reducing the security debt from the ecosystem.

The author is Chief Information Security Officer & Head of Cyber Security Practice – Infosys

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

fifty four − = 50