Risk ∝ (Threat * Vulnerability) / Controls
More threats or more unmitigated vulnerabilities means more risk. More effective controls means less risk. We all know this and most of us have experienced it. It really is straightforward. However, full 68% of executives say their cyber risk is increasing. Covid-19 and digital transformation meant even more increase in cyber risk.
In 2021, it’s critical for businesses of virtually all types to take the time to view themselves through the lens of cybersecurity – while cybersecurity professionals must view their work through the lens of real businesses.
To shed light on that reality, I recently had the privilege of moderating a fascinating panel discussion at PrivSec Global, bringing together a variety of perspectives on the context of cybersecurity – both today and in the future.
Driving that conversation were Gal Shafir, Global Director of Pre-Sales Engineering at Siemplify; Tyler Young, Head of Cybersecurity at Relativity; and our very own Omer Carmi, VP of Intelligence here at Cybersixgill.
While the discussion was wide-ranging, there were four trends that were really central to it. For anyone who missed the conversation, I would recommend taking note of these four big ideas:
It goes without saying that talented cybersecurity professionals realize the extent of the risks their employers could face if they don’t take proper precautions. But there has long been a sense that there were too few executives outside of our field who realized what they were up against. Now, it seems that that reality could be changing.
And here, I’d like to credit Tyler Young for a great “glass half-full” perspective on cyber threats: He argued that because the high-profile cyberattacks of recent years have created a growing awareness of these threats, it is now getting easier to convey (“translate,” to use his term) these risks to business executives.
But as encouraging as Tyler’s perspective was, our discussion of the realities facing the cybersecurity workforce were a bit less rosy, to say the least. And that brings us to a second key takeaway from our discussion.
It’s no secret that the field of cybersecurity suffers from a labor shortage. But why? Why isn’t the combination of good salaries, a growing variety of opportunities, and the chance to help out “the good guys” driving enough people into the cybersecurity workforce to close this gap?
Gal Shafir offered a bit of a reality check here. He suggested that we’re actually trapped in somewhat of a vicious cycle, which basically goes like this:
But it wasn’t all bad news from Gal! He suggested that innovative technologies such as automation can help alleviate this labor shortage, and that companies need to develop more efficient ways to realize the full potential of the resources that they’re already paying for – including both people and technologies. Not only can this kind of shift benefit organizations as a whole, he argued, but it can let them empower their employees to focus on aspects of cybersecurity that are more interesting, engaging, and rewarding. By letting innovative technologies handle the most mundane aspects of cybersecurity, these companies can help their team members to develop skills that will enhance their career paths – all while making their work more enjoyable.
Of course, dealing with technology isn’t the only skill it takes to make it in the field of cybersecurity. During our conversation, Omer Carmi emphasized what he called “the art of storytelling, of building narratives” as an important skill for cybersecurity professionals. It’s not enough to share information across departments, he argued – and too often, cybersecurity pros actually share too much information without enough business context. To convey key insights more effectively throughout an enterprise, he said, cybersecurity teams need to craft a holistic narrative tying together macro (strategic) aspects of security, micro (tactical and specific) aspects, and everything in between.
And speaking of challenges…
Just like (seemingly) every other field, cybersecurity is being affected by automation today. But, at the same time, cybersecurity is different from other fields in the extent to which it relies on automation simply to function effectively. Omer made the point that rather than replacing cybersecurity team members, innovative technologies (such as automation) actually empower these professionals to maximize their productivity.
Then again, automation itself doesn’t guarantee the cybersecurity successes that we often wish it would. While the issues at play here are complex, Gal summarized many of them in a beautifully simple way: “Automating a broken process will just help you break things faster.” He explained that before automating a process, it is important to make sure that process is scalable, repeatable, and effective in the first place.
And accidentally “breaking” a process isn’t the worst possible outcome of automation or artificial intelligence being used badly. Gal also predicted that AI is at the heart of many of tomorrow’s worrying cyber threats. Just as the use of AI to protect against cyber threats has started increasing dramatically, now we’re starting to see some threat actors using AI to drive their criminal schemes.
At the same time, our discussion emphasized, the use of threat intelligence is also becoming more widespread in the world of cybersecurity. Specifically, Tyler pointed out, as companies use threat intel to act against cyber threats earlier in the attack cycle, they can also use this intelligence to enhance their vulnerability management by prioritizing the vulnerabilities presenting the greatest short-term risk. With the vulnerabilities to be patched coming at developers faster than those developers can work, a more pragmatic and flexible approach to prioritizing the most urgent vulnerabilities can enable them to spend their time where it is most needed.
And on a somewhat less technical note…
It’s not just the technological side of cybersecurity that is making progress quickly. The past several years have seen groundbreaking privacy legislation take off in many parts of the world, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the U.S. Not only have these laws raised the stakes by allowing for major penalties for cybersecurity failures, but they have also inspired similar laws around the globe.
These laws have already begun to change the day-to-day work of cybersecurity professionals. As Omer pointed out during our discussion, today it’s common for organizations to have C-level executives (chief privacy officers, chief risk officers, and others) tasked with ensuring compliance with privacy laws – positions that many of these companies only created in the past five years.
Of course, it’s not just a matter of hiring. The legal changes of the past five years have already impacted the very idea of what it means to protect a company from cyber threats. These changes will undoubtedly continue in the future, as the legal landscape adapts to keep up with technological trends.
As cybersecurity professionals, we aren’t just tasked with using technology to detect threats and protect our organizations against them. We often function as our organizations’ resident experts on cybersecurity, and that makes advocacy and cross-departmental communication a key part of what we do. It also means that our work itself is often influenced by changing organizational dynamics and not only by technological developments and innovative threats.
Looking at our work from this interdisciplinary, real-world perspective at PrivSec Global, we saw four key trends that we should all keep in mind. But, in a sense, it all boiled down to one reality that we should expect to face for the foreseeable future: more. More focus on cybersecurity within our companies, more of a struggle to fill our ranks, more sophisticated technologies working both for us and against us, and more pressure on us to help our organizations comply with relevant laws.
That reality doesn’t make our work any easier, but it sure keeps it interesting. And I don’t know about you, but I’m already looking forward to PrivSec Global September.
Did you miss our panel discussion at PrivSec Global?
It’s not too late to view the video on demand for all the insights from our fascinating panelists.