It's hardly news that most CISOs worry their teams are too small. According to the Nemertes Research 2019-2020 Cybersecurity Research Study, many -- if not most -- cybersecurity initiatives are underfunded and understaffed.
What CISOs should worry about more, however, is whether they have the right cybersecurity team in place to confront emerging threats and challenges.
To get the right cybersecurity team structure in place, organizations should plan to fill the following three key roles in 2021. For organizations that have already filled them, the right team may already be in place.
Cloud security specialists set strategic direction
The Nemertes survey revealed that organizations with a specialist in cloud security saw an average of 47% improvement in mean total time to contain (MTTC) cybersecurity incidents. Nemertes uses MTTC as a bellwether metric to measure an organization's cybersecurity maturity. More mature organizations can more quickly respond to and contain security incidents. The median MTTC across all organizations is 180 minutes (three hours). Organizations with a cloud security specialist can reduce that to 105 minutes (under two hours).
Cloud security specialists need to focus on the strategy, architecture and operational cloud security. That means they're in charge of setting strategic direction and defining the architecture. This includes defining security constraints that apply to workloads and resources placed in the cloud, along with determining how to secure cloud-based workloads today and in future. Cloud security specialists should also focus on fleshing out operational processes, including the cloud incident response process, to ensure they take into consideration that workloads and resources are increasingly living in the cloud.
Third-party risk specialists tackle supply chain issues
COVID-19 exposed global supply chain risks when it comes to production and distribution. What's getting a lot less coverage are the cybersecurity risks. As the Supermicro hardware bug showed in 2018, third-party cybersecurity risk is real. It's trivially easy for an attacker to compromise a component of a key system without detection. The Supermicro bug was only detected because Amazon took apart the system in its labs, which even the U.S. Department of Defense had failed to do.
Leading-edge cybersecurity organizations are increasingly engaging cybersecurity third-party risk specialists to uncover and remediate those risks. It appears to be working. The Nemertes study showed that having a specialist correlates with a 50% improvement in MTTC (from 180 minutes to 90 minutes). A third-party risk specialist puts in place the policy and processes for vetting supply chains and other third-party relationships, determining areas of potential vulnerability and ensuring appropriate protection.
Digital ethics professionals weigh privacy issues
Sophisticated cybersecurity organizations are seeing the rise of specialists in digital ethics -- the people who worry about issues like employee privacy and the unintended impact of widespread use of AI and machine learning techniques. For example, when does behavioral threat analytics -- the discipline of monitoring employee and systems behavior from a cybersecurity perspective -- become overly intrusive? For example, if a cybersecurity analyst sees an employee struggling with alcohol addiction bringing a cellphone into a bar, who should the analyst notify, if anyone?
Employee privacy is just one aspect of digital ethics, however. Digital ethics also applies to customers. If a customer service bot detects that a customer is potentially becoming violent via sentiment analysis during an online interaction, what action should the bot take to protect others from that violence? For example, think of Starbucks customers unhappy with their online orders deciding to take it out on the employees.
So, as organizations gather ever more information about their customers' needs and preferences, how should that information be safeguarded and protected from abuse?
Digital ethics is the discipline of answering those questions and of putting in place a set of policies, a framework and a set of tools for ensuring the organization conforms to what it agrees are the right answers. More than half of all security organizations (see graphic above) that participated in the study saw digital ethics as critical or highly critical. Having a digital ethics professional on board helps keep a cybersecurity organization at the forefront when it comes to addressing these challenges.