Why You Should Stop Measuring Cybersecurity in Terms of Budget

Written by

The last decade has seen an explosion in cybersecurity spending, with the global market now valued at $112bn in 2019. Almost every month there is a new report detailing how firms are increasing their cybersecurity budgets, or buying the latest tech to help defeat hackers, but is this correlating with a reduction in cybercrime?

A recent report found that while 85 percent of companies rated their security stack incredibly highly, 86 percent of them had still suffered a data breach in the last 12 months. Clearly there is a disconnect between how companies are measuring their cybersecurity readiness and achieving effective security in reality.

The typical way that companies have looked to improve their cyber capabilities is by investing in the latest tech to help protect their networks. While these systems are effective, they still require employees with the sufficient skills to work them properly.

Given that the DCMS recently found that 48 percent of UK businesses struggled to find employees with basic cyber skills, for example being able to configure a firewall correctly, it seems unlikely that the majority of companies are getting the most out of these tools.

Experts often say that one of the best ways of defending your network is educating employees to be on the lookout for risks. However, often many businesses are not taking their human cyber readiness into account. This is because they are unable to effectively measure the skills of their cyber team.

Measuring human cybersecurity readiness is difficult to do. Currently, companies have had to rely on certifications for measuring ability, which quickly become outdated as hackers develop new techniques almost daily.

However, failing to measure your human readiness companies can open themselves up to increased risk. For example, many organizations carry out breach simulations to provide crucial experience for the day when there is a real attack.

However, businesses rarely measure how well their teams coped with each scenario and what training and actions should come from it. If an organization is unable to tell how strong its team is at cybersecurity, it will always be behind the hackers who are looking to steal its information.

Certifications do not always equate to skills

In the past, the only measure companies had to judge their employees was through what certificates they held. This led to hiring professionals on huge salaries who have been working in the industry for many years and have secured the correct qualifications.

Just because they have a certificate does not mean they are necessarily better at handling a threat as the most junior person on the team. This is because it is impossible to know who is best to handle a response simply by looking at certificates. The junior member could have had more recent experience in handling that type of threat, or recently read about the latest techniques.

By being able to continually measure who in the team is stronger at certain tasks can go a long way in improving efficiency in defending against attacks.

Often, rather than hiring in the talent from outside their teams, organizations could spend a fraction of the budget and focus on upskilling their own existing staff. Of course, to do this you first need to know what skills your team already has, and where there are gaps that need to be filled.

Throwing money at unnecessary training is as unhelpful as not having any training at all. It is crucial that managers are able to see what skills their team has, and quickly see where the holes are. For example, mapping your team’s skills to the MITRE ATT&CK framework would allow managers to assign specific training to individuals to plug the gaps that are specific to their industries.

Considering security teams are always measuring how their security solutions are performing, and updating with patches where necessary, it seems crazy to not do the same for your human skills.

Diversity of thought is the key to solving the cybersecurity skills gap

What is obvious throughout all of this is that people are good at different things. Diversity in thought is one of the most crucial weapons a security team can have at its disposal. Confronting a problem from different perspectives can greatly enhance the chance of finding a solution.

By being able to recruit outside of what certificates a person holds, and instead based on what skills they have, greatly aids this and helps expand the possible pool to recruit from. For example, someone studying economics might have the analytical skills needed for spotting potential phishing campaigns, but won’t be recruited because he didn’t do the right course at university, or hold the right certificates.

All of this starts to become possible when management begins to measure their teams in terms of what skills they have, rather than how much they are paid.

Clearly measuring how strong your cybersecurity is can no longer be done by how much money is spent on it each year. One of the greatest weapons that companies have to protect themselves with is their people, as such it is vital that we are able to accurately measure their strengths and weaknesses, and map these skills to the unique threats that businesses face. Not only that, but by being able to identify weaknesses within the people they employ managers will be able to more accurately tailor regular and up to date training to help upskill their teams where they need to.

What’s hot on Infosecurity Magazine?