I spent the first few years of my career as a financial advisor and hated every day. It was boring, slow paced, and confusing to customers. Two words to describe asking grandma about her annuity over every holiday dinner: not fun. So in 2012, I joined the fast-paced, ever-changing world of cybersecurity. Over the past six years, I have held a number of sales roles, both in leadership and as an individual contributor. I have found it – thankfully – to be the exact opposite of the finance world… except when it comes to the confusion in the market.
A data security plan is an organization's framework for employing security tools to make sure digital information is accurate, reliable, and available when those with authorized access need it—and not those without authorized access, such as malicious hackers. There are a few basic steps involved in assembling a quality data security plan:
As the field of cybersecurity explodes, it becomes harder for corporations to attract the talent they need. To make matters worse, there's a shortage of qualified cybersecurity professionals. According to an ESG research report, 44% of organizations are short-staffed in cybersecurity, and an ISACA study found that 35% have open cybersecurity positions they're unable to fill. In this challenging hiring market, how can you attract the talent you need to stay safe?
Banks, credit unions, and other financial institutions face major challenges when protecting financial data in today’s threat landscape and must also deal with compliance mandates for GLBA, FFIEC, SOX, PCI, and a patchwork of federal, state, and other industry regulations. For example, In March of this year, the National Futures Association enacted its Cybersecurity Interpretive Notice to help structure and strengthen members’ information security programs. These guidelines suggest that each member firm establish a written governance framework, assess and prioritize IT risks, defend specifically against identified threats and vulnerabilities, create incident response plans, and provide continuous employee training. These guidelines build on the SEC’s Cybersecurity Examination Initiative conducted by the Office of Compliance Inspections and Examinations (OCIE), which focus on six key areas in its audits:
- Cybersecurity Governance and Risk Assessments
- Access Rights and Controls
- Data Loss Prevention (DLP)
- Vendor Management
- Cybersecurity Incident Response
- Cybersecurity Awareness & Training
Many companies today tend to employ certain familiar cybersecurity solutions that were once sufficient in the past but are now outdated. These answers may have worked decades ago, when breaches were less common and cybersecurity was the province of an elite few, but now cyber attackers are far more numerous and far more advanced. Yesterday's advice no longer protects firms from costly data compromises. Here are three outdated techniques, and what organizations should be doing instead.
You don’t have to be a cyber security expert to realize that the digital world is under immense pressure to defend against sophisticated cyber attacks. The significant data breaches in 2015 alone -- to organizations such as Ashley Madison, Premera, Anthem, Office of Personnel Management, and the IRS -- are a scary reminder that no one is safe and that everyone needs to improve their cyber security posture. There's no better time than now to start shifting the balance of cyber security intelligence back into the hands of the “good guys.”
Coerced by the pressures of competition, businesses have to carefully weigh the value of every minute and every expense, seeking to maximize productivity and minimize expenses. In such a stressful environment, it can be easy to disregard the necessity of cybersecurity. If a company has not suffered a data breach in the past, it may not encounter one in the future—or so the thinking goes. But when security is sacrificed, any gains are likely to be short-lived, leading to serious consequences.
The Illusion of Speed
Cybersecurity takes time to put in place. Hiring an auditing team, for example, to evaluate all of the risks your company faces means you must schedule precious time to meet with the auditors, to decide what to do about their recommendations, and then implement them. It’s understandably easier to forget such tasks in favor of the familiar challenges of regular work.
“Jack of all trades, master of none” is not a figure of speech not everyone relishes having aimed at them. You go out of our way to deepen your skill sets and experience so that you can do things others can’t. In spite of this, many of IT organizations yield to the temptation to keep all security functions in-house despite lacking the time or resources.
It's wise to have someone inside your business whose job is to be aware of the security environment and maintain security controls. To freight that person, or small team, with keeping current on every new threat and with measures for their detection, isolation and destruction is asking far too much of both your people and your organizational chart.
Although employer demand for cybersecurity talent has grown steadily since 2007, several recent high-profile computer-hacking and data breach occurrences are pushing that need to new levels according to a 2014 study by the RAND Corp. The report, “Hackers Wanted: An Examination of the Cybersecurity Labor Market,” found that a growing nationwide shortage of qualified cybersecurity professionals could threaten the business operations of millions of private-sector employers.