Every financial firm is faced with increasing challenges around cyber security. Most recently, the European Central Bank had its data stolen and advised all users to change their passwords. Cyber threats are not going away and hackers are especially hungry for banks’ intellectual property, writes Garry Sidaway
The increased global dependency on technology, combined with the evolving complexity of cyber security threats, continues to increase our vulnerability – at a national, organisational and individual level.
Incidents will no doubt rise and become more sophisticated and harder to detect if threats are left unchecked. Securely managing networks against a backdrop of complex and frequent threats is presenting CIOs with a major challenge. It’s no longer possible for many companies to tackle the growing problem in-house and it’s because there is an increasing lack of people with the right IT security skills, experience and availability to address this issue.
The rise of IT skills shortages
CIOs in the financial industry face many challenges but few are more demanding than the lack of people. Evidence shows there is an ongoing recruitment challenge in the discipline of cyber security. Training and development challenges are often to blame. According to the ISACA 2014 APT Survey, 62% of organisations have not increased security training in 2014 but, on the other hand, the cost of breaches is thought to have doubled last year in the UK alone.
In addition, 77% of organisations supported during breach activities had no incident response plan in place, according to NTT Group’s Global Threat Intelligence Report. This finding suggests there are skills shortages in key areas of cyber security, and that more focus could be given to prioritise resources to optimise IT security and risk management.
Geographical location can also be to blame for the growing skills gap. Much of the skills shortage in Europe can be attributed to the move towards offshoring technology operations to India in the mid 90s. As a result, between 1998 and 2000, it’s estimated that 70% fewer graduates attended courses that were core to entering IT professions. The result is a skills gap that could take generations to fill – 20 years according to the UK’s National Audit Office.
We are now seeing a widening gap in the number of IT security experts needed to manage the growing number of threats, as European Central Bank certainly won’t be the last financial institution to be the subject of a high-profile security breach. Simply put, there are too many threats and not enough professionals in the industry.
The rise of complex cyber threats
Whatever the reason for the skills shortage, organisations are faced with a growing volume of cyber attacks. There was a 62% increase in the number of security breaches in 2013, according to the World Economic Forum, and 2.5 billion records had been exposed in the last five years as a result of a breach.
To add fuel to the fire, the Cisco 2014 Annual Security Report estimates there are 1 million unfilled security jobs worldwide. This is unlikely to change in the near future, as there are simply not enough IT security professionals. Organisations therefore need to urgently review their resourcing options if training and development isn’t a viable option.
Some financial firms may choose to sit tight and do nothing about recruitment, but all the indicators are that the security skills gap will be with us for some time. The number of breaches and shift to Advanced Persistent Threats (APT) will continue, networks are increasingly complex and identifying threats is a perpetual challenge, but are there really enough skilled resources available to analyse the mountains of data and turn it into actionable threat intelligence?
With fewer skilled professionals, some organisations will struggle to do anything beyond keeping the lights on. The smarter businesses will take action to understand their risk exposure across the business and prioritise areas to focus on. This enables them to make more informed decisions around resource requirements to help mitigate risk.
However, a lack of resource will often mean that there isn’t anyone available to internally carry out the assessment in the first place. Security and risk management are important areas for any organisation and, as the threat landscape continually changes , every company must consider its current risk exposure in the context of its commercial objectives.
Time to take a managed security services approach?
More and more firms are now collaborating with a Managed Security Service Provider (MSSP), to leverage their information security and risk management expertise for some or all of their security requirements, which suggests that it is time for the financial industry to follow suit. In fact, the 2013 Aberdeen IQ Survey found that over half of the respondents had done just that for at least one of their IT security solutions (up from 36% in 2011).
Hiring help from a third party provider enables the organisation to benefit from an independent assessment to help them understand its risk exposure, consider best practice, prioritise activities and articulate these at all levels of the business. It also addresses the issue around IT skills shortages. MSSPs take away the problem of there not being enough resource – they know how and where to find the right experts, invest in training and improving professional qualifications as well as make these experts available around the clock.
It’s worth noting, though, that any business thinking of working with an MSSP should take caution. Not all providers are the same. Find one that is prepared to work within the business model and strategic aims – not to their own agenda. It’s about getting access to their collective global knowledge and systems, and highly experienced people. This will give the active threat management required to help mitigate risk at a time when the IT skills gap faced by financial firms will be hard to fill in the foreseeable future.
Garry Sidaway is global director of security strategy at NTT Com Security