More than 40 percent of respondents in the latest Twitter poll run by Infosecurity Europe, Europe’s number one information security event, singled out human skill and expertise as the most important element of a successful cyber resilience approach. The aim of the poll was to explore the importance of resilience in cybersecurity, that is the ability of an organization and its cybersecurity professionals to prepare, respond, and recover when cyberattacks happen.
With the number of cyber-attacks faced by organizations growing on a daily basis and a projection that 146 billion records will have been exposed in the five year period from 2018-2023 the pressure cybersecurity professionals are under has never been greater. Couple this with the threat of regulatory fines, reputational damage, and the growing skills shortage – there are nearly 3 million unfilled cybersecurity positions at companies worldwide – it’s clear that protecting individuals and enhancing their resilience should be a key priority for organizations.
Human skills and expertise were the clear leader with 40.5 percent of respondents in answer to the question what is the most important element of a successful cyber resilience approach?. Next was implementing best practice at 22.5 percent, and 20.1 percent said governance and compliance. Implementing advanced technology was considered their lowest priority at 16.8 percent.
Paul McKay, Senior Analyst at Forrester Research, and a speaker at this year’s Infosecurity Europe is in agreement, “Undoubtedly human skill and expertise is the most important element of a cyber resilience approach. You can have all of the technology and best practice approaches deployed in the world, but ultimately successful cybersecurity relies on the skills, ingenuity and cognitive ability of the human brain. Many of my clients have gaps in their security team caused by difficulties in finding enough people to fill open roles on their teams. This impacts them critically both in progressing their security program, but more importantly, the mental, physical health and wellbeing of everyone else who is often doing heroic work making up for gaps in their teams. I don’t think I’ve ever seen security professionals under this much pressure.”
The poll examined the repercussions of the pressures faced by workers, asking information security workers the question have you ever made significant mistakes as a result of being overstretched or stressed at work? Over half said yes, 26.8 percent answered yes, significant errors, while a further 31.9 percent said yes, minor mistakes had been made. A quarter (25 percent) said no and 16.2 percent didn’t know. Unsurprisingly a recent report found that 65 percent of IT and security professionals considered quitting due to burnout.
Becky Pinkard, Chief Information Security Officer with Aldermore, who will also be speaking at this year’s event, said: “The average life-span for CISOs is quite frightening. One of the last stats I’ve read it’s just 18-24 months. When you start to look at that and relate that back, literally anyone in cybersecurity will be able to tell you a time when they’ve made a mistake, whether that’s because they didn’t know what they were doing, were stressed out, or they felt under pressure from project management or timeline pressure, and we are constantly faced with the same constraints so it will always be an issue we need to recognize and deal with.”
Maxine Holt, Research at Ovum shared her thoughts: “I haven’t witnessed anything directly but have heard of plenty of instances of security incidents and breaches that are accidental (don’t know to do wrong) or negligent (know circumventing procedures just to get the job done) in nature, and for sure some of these can be attributed to lack of time or stress. For example, having to follow a convoluted process to log a sale might be bypassed just because someone has a target that they must meet, it’s the last day of the sales period, and a person’s job depends upon it. There is plenty of anecdotal evidence in both the private and public sectors.”
Employee mental health and well-being should be an essential consideration for all employers and none more so than those working in information security but is enough being done? Responses to the question do your organization provide mental health support to its employees who are responsible for dealing with a cybersecurity data breach or attack were resounding with a staggering 45.5 percent answering no, 31.6 percent didn’t know and just over a fifth (22.8 percent) said yes they were being offered support.
Kevin Fielder, CISO at Just Eat believes organizations need to be doing more, “It’s a high pressure, always on a role that can easily burn people out. Organizations need to really recognize this and provide support for their teams. As a manager, I also try to make the team and working environment as flexible and supportive as possible.” Kevin says the best kind of support is: “an organization that genuinely invests in it and makes support/counseling available to all plus a team culture that is supportive – I think the right team is absolutely critical to success here.”
Independent Researcher, Dave Edwards, says: Security is a very stressful job, as risk decisions need to be made. Good decisions are not always a popular choice, they can delay projects and cost revenue. Companies can do more, I have had a positive experience, although this is about company culture and organizational values; senior leaders such as CIO’s, Directors, etc., need to lead and set an example through good behaviors as they cascade across an organization for all staff.”
Nicole Mills, Senior Exhibition Director at Infosecurity Group says: “We as Infosec professionals and leaders, need to be resilient ourselves – developing new skills and on a personal level, being resilient to the stress and pressure facing people in our industry.”
“Our poll clearly highlights that human skill and expertise is the most important aspect in building a strong cyber resilience strategy and this is why organizations need to focus on providing a safe and supportive environment to protect their most important asset. By building the expertise of those involved at the sharp end of cyber-attacks and taking measures to provide the mental health support will not only help to strengthen resilience, but it will attract and reassure those wanting to enter the industry.”