Member Article

Human skill and expertise most important element of cyber resilience according to new poll

More than 40 per cent of respondents in the latest Twitter poll, run by Infosecurity Europe, singled out human skill and expertise as the most important element of a successful cyber resilience approach. The aim of the poll was to explore the importance of resilience in cybersecurity, that is the ability of an organisation and its cybersecurity professionals to prepare, respond, and recover when cyberattacks happen.

With the number of cyber-attacks faced by organisations growing on a daily basis and a projection that 146 billion records will have been exposed in the five year period from 2018-2023 the pressure cybersecurity professionals are under has never been greater. Couple this with the threat of regulatory fines, reputational damage and the growing skills shortage - there are nearly 3 million unfilled cybersecurity positions at companies worldwide – it’s clear that protecting individuals and enhancing their resilience should be a key priority for organisations.

Human skill and expertise was the clear leader with 40.5 per cent of respondents in answer to the question what is the most important element of a successful cyber resilience approach?. Next was implementing best practice at 22.5 per cent, and 20.1 per cent said governance and compliance. Implementing advanced technology was considered their lowest priority at 16.8 per cent.

Paul McKay, Senior Analyst at Forrester Research, agrees: “Undoubtedly human skill and expertise is the most important element of a cyber resilience approach. You can have all of the technology and best practice approaches deployed in the world, but ultimately successful cybersecurity relies on the skills, ingenuity and cognitive ability of the human brain. Many of my clients have gaps in their security team caused by difficulties in finding enough people to fill open roles on their teams. This impacts them critically both in progressing their security program, but more importantly, the mental, physical health and wellbeing of everyone else who are often doing heroic work making up for gaps in their teams. I don’t think I’ve ever seen security professionals under this much pressure.”

The poll examined the repercussions of the pressures faced by workers, asking information security workers the question have you ever made significant mistakes as a result of being overstretched or stressed at work? Over half said yes – 26.8 per cent answered yes, significant errors, while a further 31.9 per cent said yes, minor mistakes had been made. A quarter (25 per cent) said no and 16.2 per cent didn’t know. Unsurprisingly a recent report found that 65 per cent of IT and security professionals considered quitting due to burnout.

Maxine Holt, Research at Ovum: “I haven’t witnessed anything directly but have heard of plenty of instances of security incidents and breaches that are accidental (don’t know doing wrong) or negligent (know circumventing procedures just to get the job done) in nature, and for sure some of these can be attributed to lack of time or stress. For example, having to follow a convoluted process to log a sale might be bypassed just because someone has a target that they must meet, it’s the last day of the sales period, and a person’s job depends upon it. There is plenty of anecdotal evidence in both the private and public sectors.”

Employee mental health and well-being should be an essential consideration for all employers and none more so than those working in information security but is enough being done? Responses to the question does your organisation provide mental health support to its employees who are responsible for dealing with a cybersecurity data breach or attack were resounding with a staggering 45.5 per cent answering no, 31.6 per cent didn’t know and just over a fifth (22.8 per cent) said yes they were being offered support.

Kevin Fielder, CISO at Just Eat believes organisations need to be doing more, “It’s a high pressure, always on role that can easily burn people out. Organisations need to really recognise this and provide support for their teams. As a manager I also try to make the team and working environment as flexible and supportive as possible.” Kevin says the best kind of support is: “an organisation that genuinely invests in it and makes support/counselling available to all plus a team culture that is supportive - I think the right team is absolutely critical to success here.”

Nicole Mills, Senior Exhibition Director at Infosecurity Group says: “We as Infosec professionals and leaders, need to be resilient ourselves – developing new skills and on a personal level, being resilient to the stress and pressure facing people in our industry.”

“Our poll clearly highlights that human skill and expertise is the most important aspect in building a strong cyber resilience strategy and this is why organisations need to focus on providing a safe and supportive environment to protect their most important asset. By building the expertise of those involved at the sharp end of cyber-attacks and taking measures to provide them mental health support will not only help to strengthen resilience, but it will attract and reassure those wanting to enter the industry.”

This was posted in Bdaily's Members' News section by Amanda Hassall .