Even if there hadn’t been a global pandemic, security incidents for organizations would have increased in the last 2 years. From ransomware to deepfakes, cybersecurity attacks are on the rise, and industry professionals are feeling the squeeze.
According to surveys, new strains on security experts, propelled by the pandemic are compounding security difficulties for companies and increasing these risks.
Why, besides the obvious, are cybersecurity experts under new pressure?
Remote Work Post-Covid
Remote work was adopted as we all entered the COVID pandemic world. Many organizations placed years of work on their IT and security teams to enable their workforce to work remotely in order to accommodate local and federal requirements. In some cases, these solutions were deployed as a temporary fix or solution with no plans to do much else with them, as they would not be needed after COVID was under control. That has not been the case, as we see most companies returning to normal operations and embracing a highly distributed workforce like never before.
This adoption is great for the employees that want the flexibility but comes with challenges for the security and IT teams. In many cases, key controls and capabilities are still missing or have not been implemented. With these controls missing, it is creating more work, especially manual, for the security leaders to manage. This is creating burnout fuel for many organizations, which directly leads to issues with turnover and performance.
Turnover has been rampant across industries and across skill sets. This has been no different in security, but it is a trend that has been happening for many years, even before the “great resignation”. Turnover not only hurts team chemistry but also hurts morale for a myriad of reasons.
Turnover puts strain and additional work on every security expert within a team. The required monitoring, daily tasks, and control maintenance need constant attention. In some teams, this can cause the team members that are still with the organization to need to take on additional work time. Couple this with the unknowns of the hiring process – that can often be drawn out and result in a great deal of compromise on skill sets – and you have another reason for overwhelm among cybersecurity professionals.
It is a poor cliché that the weakest link of an organization’s security program is the people. While most individuals are well-meaning and trying to find easier, more efficient ways to do their work, it can often create security holes or compromise points. Proper training and awareness campaigns are needed to make individuals aware as to why those pesky security controls are required and implemented. Some organizations are not investing near enough in this to assist the security team, as the value can be hard to conceptualize.
Investing in security awareness training, specifically phishing and social engineering can help reduce the workload and security threats for the organization. Users are primary targets for many attacks, and phishing and social engineering continue to be a primary mode of deployment of malware, including ransomware. Additional training focused on good cyber hygiene is needed to make users aware of how to protect themselves and organization when conducting day-to-day work and engaging with online resources.
Investment, not only cost, but importantly time, is sorely needed to allow for continued training for security experts. Security is not a stagnate industry, as threat actors have the advantage of being on the offensive side and being able to adjust their attacks to take advantage of weakness in defensive controls.
For this reason, it is critical for security SMEs to continue to upskill and train to understand technology advancements, changes in security controls, and industry best practices. It is unreasonable to expect an SME to be up to date and able to address the emerging security threats while working a full-time full-time job, without the organization providing the time and investment necessary for training.
At this critical juncture, It is important for organizations to understand that the risks to their security team, while they may be the same as the organizational risk, may not be taking the correct priority. Every expert in the security field wants to avoid breaches and ransomware events, but in most cases, they are not thinking about them day to day. Instead, they focus on the risks or lack of investment impacting them as an individual. The risks identified in this article are risks that many organizations have failed to think through or address, which is leading to more unsatisfied, stressed, and overworked security professionals, leading to greater risks long term.
You may be interested in: How to Minimize Employee Turnover and Increase Loyalty