The key to keeping cyber talent

Amid the waves of covid-19 and talent shortages, cyber governance can provide the steer.

By Hilary Walton, CISO at Kordia
1 Apr 2022
read time
3 min to read

With a recent survey reporting that around 48% of employees will be searching for new jobs in New Zealand, the already concerning skill shortage around experienced cybersecurity and technical professionals has only been amplified.

Losing too many key people in these areas has overt consequences – it can impact operations, weaken your security posture and delay key projects.

Longer term, this can have a detrimental effect on your brand, reputation and your customers, particularly if you suffer a breach at an inopportune moment and struggle to resolve it in a timely manner.

What is clear is that employee expectations are shifting and organisations need to evolve their operations to meet these needs.

Asset management

Business leaders are realising that they must make a shift to retain their cybersecurity talent.

Security teams are exhausted. After two years of managing covid-19 induced crises, securing new perimeters and providing rigour around data and tools newly shifted to the cloud, it’s not a stretch for them to look to greener pastures if they feel that the organisation isn’t recognising the importance of their work.

The key to retaining talent and securing your organisation is making sure your technical and security teams are well supported with a well-defined cybersecurity strategy, championed by the board.

Focus on security governance

Combined with other pressures generated by the current business environment, it’s more critical than ever that boards ensure their organisation’s cybersecurity is on track to provide the right outcomes. A slip in security governance has the potential to create wide-ranging damage, amplified by staffing pressures.

Governance of cybersecurity needs to come into sharp focus, particularly as businesses become largely digital entities.

You may not view your organisation as a “technology” company, but with most businesses shifting infrastructure and data to cloud environments, it’s imperative that this mind set changes and all businesses start viewing themselves as technology-driven entities.

All boards should have some understanding of cybersecurity, but it’s important to define this differently from technology. Certainly, a director with technology expertise is likely to have a decent knowledge of security concepts, but with technology becoming an all-encompassing banner for so many parts of the business, it’s unlikely that cybersecurity will receive the focus it deserves if lumped under this umbrella.

Security governance is much more than understanding the technical components of your security policies – it is about having visibility of risk and assurance.

As employees in technical teams shift, it becomes more important than ever to have a cybersecurity vision that guides the decision-making process across the entire organisation. Integrating cybersecurity into all areas of the business and building cyber risk into your holistic risk management approach is key to making sure all bases are covered.

Furthermore, oversight of the allocation of resources will be an influential component of a cybersecurity programme, especially if teams are struggling when recruiting the right talent. Setting up a structure that defines cybersecurity roles and responsibilities will help define this.

“For malicious hackers, the supplier ecosystem is an attractive target as a single attack can result in multiple victims. That’s why it’s critical to ensure the partners you trust are properly vetted and provide evidence of security measures put into place to mitigate risk.”

A potential blind spot

Most businesses rely on third parties to manage or automate certain processes and operations, or even store data and tools for them in the cloud. This means the same rigour needs to apply across your partners and suppliers when it comes to cybersecurity. A vendor that doesn’t uphold a robust security posture presents a serious risk.

For malicious hackers, the supplier ecosystem is an attractive target as a single attack can result in multiple victims. That’s why it’s critical to ensure the partners you trust are properly vetted and provide evidence of security measures put into place to mitigate risk.

Further to that, the board should ensure the organisation has mapped out where data, apps and other critical touchpoints intersect with your vendors, so you have an accurate view of what your third-party supplier risk looks like.

Practice makes perfect

For many organisations, facing a serious cyberattack is like entering a storm – in the chaos you may lose access to your systems, your communication tools may be down, and you may find yourself struggling to notify employees and customers of what’s happening.

This is where your incident response plan comes into play. It’s important to make sure that it actually works for your organisation before you need to use it.

So much good improvement comes from putting the theoretical into practice. I highly recommend organisations take the time to practise their incident response plan, even if it’s simply a tabletop exercise. Like public speaking, rehearsing your response breeds muscle memory for people and secures buy-in from the wider organisation.

This is particularly relevant if your team has changed shape, lost key people, or has gained new employees. It’s critical that your key players can work together during a crisis. Walking through the decisions you’ll need to make, and playing out conversations between technology teams, executives and the board in advance is a good way to test your plans.

While we may not have a crystal ball to determine exactly what the threat landscape will look like, to maintain the best defensive position directors must engage more heavily in security governance.

A solid strategy, with clearly understood risk, as well as defined roles and responsibilities, will ensure your teams are well supported and put your organisation on course to tackle any rough seas ahead.