It’s that beneficial time of year, the moment when the annual ISACA State of Cybersecurity report is released. A chance to understand how the real-world workplace is changing based on the feedback from a global sample of thousands of my fellow infosec professionals.
For me, one of the most interesting takeaways from the content this year is how the cybersecurity skills priorities are changing. What is the most sought-after skill?
As any seasoned, charred or otherwise overcooked security person can tell you, identity and access management is very much the central pillar of cybersecurity. Why? Because it is the primary target for cyber-criminals to exploit. A hacker who can acquire unauthorized access to stolen or cracked credentials has a significant foothold and pivot point from which to cause substantial damage.
If you look through any set of security controls or security audit pack and then do the maths (alas, I confess that I have done this many times), then you will find that based on the risk weightings and number of tests performed – identity and access management tends to knock the other audit categories of controls out of the park.
It is not that other security categories are unimportant – but as the overused saying goes – ‘a chain is only as strong as its weakest link.’ Identity and access management has always been considered less of a link in the security chain and more the attachment point on which all of the chains are critically dependent.
Not this year, though. This year, the category of identity and access management is relegated to third place, according to the ISACA data.
In first place is (drum roll please)… cloud computing.
There are a few inherent problems with this answer – but perhaps that is the point. Cloud is not a single thing – it is a vast collection of the almost nebulous:
- Infrastructure-as-a-Service
- Software-as-a-Service
- Platform-as-a-Service
- … the list goes on and on.
Within each category, there are countless vendors, each with their own strengths, weaknesses and vulnerabilities.
Until a few years ago, it was quite difficult to get management to understand the security risks associated with migrating to (and embracing) a diverse set of cloud solutions (is there a single cybersecurity professional out there who has not been told in response to a question about security, “it’s the cloud” – as though that was an answer).
When it comes to cloud, attitudes are different now. Most CEOs have seen what happens to them if they accidentally allow data or services they are responsible for to be compromised. They know that a claim of ignorance or incompetence will no longer save anyone’s reputation.
For example, my day job is spent mostly working through the hot cyber topics for publications and presentations. In that context, the cloud computing answer resonates strongly with my recent inbox. Everybody wants to work out how they can take their loosely lashed-together digital landscape of lowest-cost cloud technology services and add security.
Just when everybody hoped that the security environment could not be more challenging, recent world events have created a further substantial uptick in cyber-attacks. This has also increased the sense that maybe we should all care more about the security of everything we ever purchased and placed in the cloud. Not so much buyer’s remorse as a penitent desire to security upcycle anything in the cloud that might be more critical to the organization once the current threat landscape is taken into consideration.
Zero trust, extended detection and threat response (XDR), SASE (secure access service edge) – almost all the hottest topics are about how to take the security standards that were (once-upon-a-time) applied as standard to traditional networks and *seamlessly* implement them across cloud (and other) environments (although XDR also has its own position in this chart in fifth position).
The number one position for cloud computing makes sense. It reflects the growing concern about cloud security and the gradual evolution of the requirement to ensure that each organization has a consistent security architecture that extends over and includes any important cloud solutions and services in use.
The valuable takeaway here for any cyber professional is to invest time in understanding all the security technologies that help to synchronize security across cloud and other environments. Organizations are finally moving toward a security position where they want consistency and reliability across the entire digital landscape.
See more insights from the ISACA State of Cybersecurity 2022 report here.