Do you know where your organization 's IT staff stands when it comes to its cybersecurity skills? Many companies today might be confident in their ability to prevent attacks, but at the same time, not many understand where they're sufficient or deficient, and one small vulnerability can easily turn into a major data breach.
As such, business leaders' perception of their security team effectiveness may actually be skewed, a recent study by Accenture suggested. More than half of security executives said it takes months before sophisticated attacks are discovered - and about one-third never are. More shockingly, 75 percent of security professionals said they're confident in their security teams' ability to prevent an attack, yet the majority of organizations don't have systems in place for effective monitoring.
Reconsidering our approach to security risks
Despite the ongoing occurrence of massive, high-profile and increasingly mature attacks in the headlines, a frightening amount of companies remain locked in traditional strategies for information security. By failing to evolve with the emergence of new threats, organizations are hampering their own ability to defend against today's constant barrage of attacks. And Accenture added that, even when an attack does occur, the No.1 priority for the majority of businesses is the company's reputation, followed by protecting customer data (44 percent).
If we want to more accurately measure and therefore defend against the appropriate risks, we need to shift our focus and take a new approach to cybersecurity. It starts with taking InfoSec assessments.
"A strong cybersecurity defense requires specific and accurate assessments."
Writing for Finextra, professor of applied information security Ian Robertson explained that it could be beneficial if businesses took the same approach to cybersecurity as many do in other fields. Instead of measuring information security solely against regulatory compliance, we should evaluate preparedness on the risks themselves. Other markets, such as financial and life sciences, analyze risks based on a combination of mathematical, statistical and experimental data.
Too often businesses only look at the effectiveness of cybersecurity from organizational standpoints, rather than evaluating the individual skill sets of IT security pros. Enabling IT pros to complete InfoSec skills assessments offers a different view into where the weaknesses and risks are.
Getting specific with security assessments
Of course, there are different types of cyberrisks (internal vulnerabilities versus malicious intrusions) and each requires a certain approach to mitigation and resolution. Similar to how an organization should prioritize threats according to severity, they should also prioritize cybersecurity training based on the skills and competencies needed for specific functions.
Especially as the world of cybersecurity shifts from a defensive and reactive position to an offensive and proactive one, InfoSec roles are evolving and diversifying, and with them the skills and proficiencies needed to fulfill each job function. For example, identifying and prioritizing threats is different than actually preventing risk and resolving vulnerabilities.
So, when it comes to information security skills assessments, professionals should be evaluated on the specific competencies relevant to that role. This will provide companies with a better analysis of where the gaps are and where focus should be emphasized.
In addition to being prioritized, the assessment and training of cybersecurity skills should also be ongoing. Hackers are constantly maturing and evolving, so the development of network security teams must as well.
To learn more about the various InfoSec roles and skills needed to build a strong defense team, download our whitepaper.