Horizons Spring/Summer 2019

Plus, organizations will need to protect that information while in possession. Addressing the requirements means combining business and technical processes to understand what information is collected, how it is collected, where it lives, where it is stored, who has access, how it is transmitted and how it is destroyed. The best approach is mapping out the data flow from collection/creation through destruction – cataloging the why, where, who and how. It is then important to perform an analysis as to how the data is protected, how you can determine if data has been compromised as well as the processes required for notifications under the appropriate laws and regulations. The most important aspect to remember is that this is not only a technology issue, it is a strategic business issue. Prepared organizations will understand the sensitivity of data in their environment, outline the processes for responding to a breach and make sure insurance is in place to assist with the costs of a breach. Vigilant organizations will map the data, plan a response, test the plan and develop relationships with specialists who can assist when needed. Cyber security talent is expected to be in high demand for the foreseeable future. A recent Ponemon poll reported that 68% of respondents believe staffing is an issue, 67% do not have the time to address known security issues and 71% indicated communications with senior management continue to get in the way of staffing and support. Universities, colleges and technical schools are trying to address the shortages, but often generate people who lack hands- on experience to perform the work. To be fair, cyber security skills run the breadth of technology from developers to operational administrators and often require detailed Skilled Security Professionals’ Talent Shortage

knowledge of security practices and underlying technology.

Many of the specialty skills in cyber security are still primarily learned on the job, by diving into the technology and investing personal time in the effort. No school or program is going to create a ready-made cyber security specialist. Experience is still a critical factor in managing a successful cyber security program. Over the next decade, the trend is expected to continue. More basic-skilled individuals will move into the workplace, but it could be 10-15 years before they gain enough experience with product companies and service organizations to have a significant impact. While cyber security requires many different skills, if you are limited in resources, you can focus on those who have a broad understanding of security, comprehend the long-term plan and are capable of communicating clearly with management. Hiring an ethical hacker to lead your security program may sound like a good idea, but typical ethical hackers are technical specialists, quickly bored by day-to-day routines and may not fit the management culture needed for effective communications. Rather, it is advisable to hire a solid generalist with good communication skills and selectively outsource and co-source technical requirements. If your organization does not need a full-time security specialist, consider engaging firms providing virtual Chief Information Security Officers (vCISO) services to advise senior leadership on strategy and planning. Prepared organizations will have a basic understanding of security services and relationships in place with security service providers who can be called upon as needed. Vigilant organizations will integrate co-source or outsource services into the security program so they are prepared for new threats as they emerge.

Cyber Security in the Next Decade

8