Why top talent is the only way to plug your information security gaps

Security and privacy should be top of the agenda for any business that is building or using Internet of Things (IoT) networks. IoT has traditionally suffered from a poor reputation when it comes to security; those manufacturing connected objects historically left security way down the list of priorities in the design process, and didn't equip their hardware with a robust process for updating and patching software. 

That's set to change: IoT users are no longer willing to accept second best when it comes to security. The field has also been given a boost by government funding: at the start of the year, the Department for Business, Energy & Industrial Strategy announced a £100m investment for information security research and development. The lion's share of the funding will be focused on helping to make security part of the design process for devices and processors, with a smaller but not insubstantial chunk of funding going towards boosting security at the periphery of networks.

The combination of increasing IoT rollouts, combined with a growing awareness of the security threat that IoT devices may present, will see businesses funnelling more investment into ensuring every piece of hardware – from the simplest to the most complex – is secured. As the government's funding makes clear, companies need to put greater emphasis on not only designing out the security flaws in new hardware on the supplier side, but also addressing any flaws that find their way into the system on the customer side. For those planning to deploy or extend their IoT presence, that could mean adding new headcount with expertise in endpoint security, networking security, and lifecycle management, to make sure that all devices and connections are both appropriate and suitably locked down.

According to the Joint Committee on the National Security Strategy, during its ongoing inquiry into the information security of the UK’s critical national infrastructure (CNI), "we heard that although the UK has one of the most vibrant digital economies in the world, there is not currently the information security skills base to match, with both the Government and private sector affected by the shortage in skills." 

In order to counter that gap, organisations are looking outside the traditional candidate pool. Earlier this year, the Department for Digital, Culture, Media, & Sport announced funding to help bring more diversity into information security, encouraging more female, BAME, and neurodiverse people to join the industry. Efforts to inspire more neurodiverse candidates to consider working in the sector have been gaining traction over the last year. The National Autism Society and others have run pilots specifically around information security recruitment, while technology companies including Microsoft and SAP have launched programs to hire more people from the autistic spectrum. Expect work to make information security and privacy a more diverse industry to continue gathering pace in the short term, with a view to not only broaden capabilities within the industry but also to address ongoing security skill gaps.

The most common threats that have marked the enterprise environment in recent years haven't gone away: ransomware, cryptojacking, and spearfishing are still risks to most businesses. One solution to address such common but unsophisticated threats is the use of security orchestration and automation, whereby routine security operations tasks are taken over by software, freeing up human workers to concentrate on higher value work. Detecting and isolating threats, as well as managing network alerts, can increasingly be managed without the intervention of human workers. While growing automation could potentially be seen as a way of reducing security resourcing, businesses not only need staff able to set up and maintain such automated systems, but this also allows organisations to redeploy their staff to tasks that strengthen their security in new ways. 

While GDPR may have been the privacy story of last year, organisations are still grappling with the after effects of the legislation. France's regulator handed out the continent's largest penalty under the GDPR earlier this year, fining Google a record €50m. While it might not be a significant pecuniary blow to a company of Google's size, it shows that the GDPR is not the damp squib that many predicted. Not only should GDPR be just as important to organisations this year as it was in 2018, but data privacy will be an extra challenge when the UK exits the European Union. Due to the current uncertainty over which form Brexit will eventually take, companies should be exploring the potential impact of various scenarios for how they handle customers' and suppliers' information. Those with an international outlook will also need to concentrate on ensuring that they comply with recent changes to US legislation, including the need to notify the Department of Financial Services of any data breach within 72 hours.

Given the growing costs associated with avoidable security and privacy breaches, be it through fines from regulators, reputational damage, downtime, and the need to improve security systems post hoc, there's no denying that security should be a board-level issue for most companies. However, there has traditionally been a disconnect between those at the top table and those in the IT department. One of the most valuable skills that businesses need to invest in is not necessarily around implementing new frameworks or achieving next-level certifications, but those of communicating the intricacies and importance of security and privacy to individuals holding budgets and setting corporate strategy.

If you're looking to fill a technology skills gap within your organisation, submit a job spec today. Alternatively, to discuss your requirements with one of our specialist recruitment consultants, for any other general queries, or for help improving your recruitment process, please get in touch today.