Information Security in changing times: Can you deliver Essential 8 compliance out of the box?
You need someone to go with you on the Essential 8 journey, so clearly articulate your risk appetite and what you are willing to accept
By Secure Agility
Recently, we were pleased to host Steven Woodhouse, a respected CIO with a wealth of Cybersecurity and Cloud experience. We discussed several issues that are pertinent right now in information security.
As the supply of skilled talent struggles to meet demand, how can information security be ready for the increases in volume, type, and complexity of responsibilities?
In this 2nd blog, we will recap what has changed in the security skills space and provide some strategies to keep your capability ahead of the game.
The infosec landscape has fundamentally shifted over the past decade and the COVID-19 pandemic has further changed things quite rapidly.
We did more digital transformation last year than in the past 10 years and more remote working has resulted in many endpoints sitting off the corporate network as potential exposure points.
As an example of this evolving ‘threatscape’, Woodhouse cites that it wasn’t that long ago we were thinking about protection from the outside with a perimeter. That is not the only vector any more, as there are now also different threats.
From state actors to the emerging business risk of ransomware which can be easily emailed to thousands of addresses to entice people to click on it, plus now the pandemic is being used as bait.
The cost and volume of ransomware have increased dramatically, and experience shows that some organisations that suffer a major incident don’t ever recover.
What are the new types of threats that previous skills don’t address? The world has changed from a security perspective because IT has changed.
The old skills are still required, but there needs to be a more risk-based approach as regulatory bodies, such as ASIC, makes IT a board-level responsibility.
From a traditional security perspective, there needs to be a better understanding of risk and business, and how threats might affect business.
In-house staff and teams are often best placed to understand the business and risks of a data breach, but that doesn’t mean you can’t procure the skills you need to keep ahead of the threats.
Skills like ‘how to configure a router’ can be bought and MSPs can monitor security for different operations on a 24×7 basis.
Are there pathways for traditional security skills to be modernised? As a start, teams should not just be technical now and leaders of in-house teams need to have more understanding of the business and its risk.
In-house security sometimes has a reputation for saying “no” to everything. Moving forward they need to be more willing to say “yes” and put forward a better way to do things so staff can run the business.
Australian organisations can invest heavily in information security products, services and training, but IT and business leaders must be aware of the limits of risk mitigation.
The more money you spend putting controls in place needs to be balanced with risk and cost, but you will get to a point where no matter how much you spend you can no longer mitigate risk.
To meet the skills shortage and participate in the digital economy with confidence organisations must find the right mix of buying, partnering and extending in-house teams.
Meeting the information security skills gap demands a hybrid approach, and this has the added advantage of enabling change as threats evolve.
To view Part 1 in this series with Steven Woodhouse, click here.
You need someone to go with you on the Essential 8 journey, so clearly articulate your risk appetite and what you are willing to accept
How a combination of training, checklists, and technology can help critical infrastructure managers meet new obligations around managing and...