With today's emerging and ongoing cyber threats becoming increasingly sophisticated, organizations can't afford to be naïve or neglect risk management as a top priority within their mission. Risk Management has evolved exponentially and will continue to change, especially over the next 10-15 years. Proactive risk managers don't operate within bubbles. They think long-term, examining all risks across the organization, and look at every risk mitigation procedure and workaround available within their means. These steps are necessary to address outstanding vulnerabilities as quickly as possible.
Risk managers must always think about the worst predicament occurring, the company not being prepared, and what it will take to assess the risk within a moment's notice. This is no easy task. One of the most critical emerging risks in today's organizations involves Internet of Things devices. This dynamic poses significant risks. The IoT can easily be breached, and it's not likely to be patched or updated quickly. In times past, most organizations thought of disaster recovery plans as only an afterthought. Yet, when their networks become unavailable, panic emerges quickly, and departments start scrambling on what to do next.
It is crucial that organizations employ personnel experienced in risk management procedures. Recent studies show that over 80 percent of North American IT departments have skill gaps when it comes to risk management expertise. Skill gaps cost employers up to 416 hours and over $22,000 per employee annually, based on recent studies.
These skill gaps prove organizations haven't been serious enough in addressing their cybersecurity measures. As more corporations are looking for ways to transfer their company's data to the cloud, it's essential that the right expertise is acquired now to manage and implement these new technologies within these environments.
Cloud computing is the top investment worldwide for all IT departments, including within many federal organizations. Over 50 percent of organizations today use more than one cloud provider. This can cause significant problems for understanding the security controls inherited, any disaster recovery procedures these vendors provide, what tools are being used to scan these environments, how often the scans are run, and the timelines enforced for remediation purposes.
It takes time to train people who have not been exposed to these many factors. And time is not on an organization's side when it comes to protecting internal networks from being exposed. That's why many companies are now considering bringing on third-party vendors who already have personnel experienced in addressing these issues contracted out for hire / available for contract.
These vendors have the necessary skill set to:
Review all security policies within these organizations
Create a gap analysis
Document vulnerabilities or deficiencies
Review documentation for hot or warm sites for business continuity plans as well as network redundancies and recovery time should a major disaster occur
Determine if Business Continuity Plan (BCP) functional test plans have been created to document the BCP and determine the last time the last BCP test was run successfully
Employ necessary people skilled in reading NESSUS and WebInspect scans
These measures are necessary for analyzing outstanding vulnerabilities based on the risk criticality. These vendors also must be skilled in knowing which security controls are inherited from these cloud providers and which ones are not.
Because organizations are looking for better ways to manage their data, finding ways to automate this data are time-consuming and extremely vulnerable to lapses in confidentiality. Risk management experts are needed to address log monitoring and enterprise resource planning integrations. The downside to this is that hackers are using automation to execute their attacks. It's fast and easy to correct various script codes within the tools companies are using to automate.
Automation is huge in cloud migrations; this has many security risks attached to it as well. Rising skill gaps have made project managers' jobs even more difficult, as critical expertise is still lacking. Hence companies will incur costs or lost revenue due to the neglect of hiring skilled experts to address these needs.
Approximately 90 percent of all organizations will have adjusted project plans as well as delayed product/service releases. This is a natural consequence of global supply chain issues. As founder and leader of Geopolitical Risk Advisory out of London, Dr. Elizabeth Stephens observes, "businesses need to ask themselves 'who supplies their suppliers? It takes 30,000 parts to make a car, but only one not to make a car.'"
So, it comes down to a choice. All organizations must know where they stand today. They must employ the necessary people to handle these difficult tasks. There may not be a second chance to address this risk. The key now is to upskill and certify professionals based on the technologies these cloud providers employ or hire a third-party vendor with the necessary personnel to address these issues associated with these different cloud platforms.
Comments