The top funding priorities for chief information security officers (CISOs) in the coming year reveal a fundamental challenge facing enterprises today: They need more talent, and they need better training for employees. What are CISOs doing to solve for this ever-present pain point?
A recent Forbes Insights survey of over 200 CISOs found that talent and training constraints have a significant impact on security organizations.
Getty“There are not enough security people available,” says Dawn Cappelli, chief information security officer at Rockwell Automation, the provider of industrial automation and information technology. “There is such a shortage of talent in the cybersecurity industry that you need advanced cybersecurity technology to get the job done.”
A recent Forbes Insights survey of over 200 CISOs found that talent and training constraints have a significant impact on security organizations. Even more, the results showed that those organizations with a siloed approach to security experience a greater negative impact than those with a strong, enterprise-wide strategic approach.
Which of the following security initiatives is your highest priority for funding in the coming year?
- 14% Creating a culture of security
- 14% Hiring more cybersecurity staff
- 13% Better security training of employees
Percentage of surveyed CISOs who believe talent constraints have an extremely high impact on their security organizations.
- 12% Strategy-constrained respondents
- 4% All respondents
From Forbes Insights/Fortinet survey of more than 200 CISOs.
“It’s about leveraging the rest of the organization,” says Emily Heath, vice president and chief information security officer at United, the global airline. “Too often security puts themselves in a corner, with the weight of the world on their shoulders. And it really is the entire organization’s responsibility. But they do look to us for counsel and advice and training and education.”
Educate and train employees and stakeholders on best practices to prevent or reduce breaches that target insiders, such as phishing. Just over a third (34%) of cyberattacks involved internal actors in 2018.[1] Think of awareness and action across the enterprise as a human firewall.
“Security does not reside just within my team—it resides across the whole organization,” says Heath. “For education and training, leadership is important in terms of how you affect change within a culture. Ultimately, to change a culture, you’re asking people to do something
differently. You will get a lot more adoption if you explain the reasons why you’re asking people to change. That comes down to being transparent with the rest of the workforce [so you can] educate and influence and leverage the resources that you have outside of your own team.”
Build a culture of security awareness. United built out the concept of “cyber ambassadors” and “friends of security” for the airline’s staff, who watch out for security within their departments. Heath uses IT as an example. “Developers are not security professionals by trade, but if you educate them and give them the tools to ensure that the code that they release is secure, then they’ll take ownership. But you can’t just expect them to do it without explaining the reasons why and helping them understand why that matters to them.”
United has some 90,000 employees, so Heath emphasizes the importance of communication and embedding security into the DNA of the organization. “We believe in being very honest and transparent about security,” she says. “We talk to our employees in very real terms about what cyber actually means so that it’s relevant to them within their job. So we have an entire team of people who focus on the cultural aspects of embedding security within United’s operations and within our education and awareness team.”
Rockwell Automation formed an information-sharing group around its operations security team. The effort includes some strategic customers and subject matter experts within the company across divisions. Because operations are a central part of the business, Cappelli and IT teams work closely with engineers and other leaders who would normally be well outside the security fold.
“We created that whole strategy together,” Cappelli says. “It was IT, it was OT, it was security. We were all one big team—and we recognized that some people were subject matter experts in one area, and some people were subject matter experts in another. Seeing us all as one team creating was the best thing that we could have done. If IT security tries to create a plan for securing a production plant without working with the industrial automation engineers, it will be hard to get the buy-in that you need.”
Focus on talent retention. Keeping talent onboard is a big focus. Rockwell Automation has created a defined security career path for its team members, so they can see where they can go from their current positions, what kind of experience or education they need to move to that other position, and the means to get there. “All of our security leaders work together so that good in-house candidates are ready when we have an opening, even if they don’t have exactly the experience. We train them for the new position rather than take a chance on their leaving the company.”
THE HUMAN FIREWALL
Training and culture are key elements of a successful cybersecurity strategy because so much of the vulnerability an organization faces is from within. Strong security is not just about a CISO’s immediate team; it’s about how strong and resilient the entire enterprise is from a human standpoint. Awareness is a big part of the battle. Incorporating best practices into every nook of the business is another. Successful security in terms of the insider threat is a mindset established by the leadership of the CISO.
[1] Verizon, 2019 Data Breach Investigations Report. https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
