There’s no doubt that COVID-19 has impacted and transformed every industry, and the cybersecurity realm is no exception. Many CISO’s most likely sat down in late 2019 with plans to implement a minor increase in their cyber security budget, with maybe one or two additions to their talent pool, but no one anticipated a global pandemic and the havoc it would wreak. Cybercrime and cyber threats spiked as companies moved to remote work and sensitive data became less secure.
As companies scrambled to suddenly implement digital transformation initiatives, it became obvious there were a significant amount of pain points. Many found themselves trying to streamline legacy processes that were more important now than ever with a growing number of remote workers.
Mike Weber, Vice President of Innovation at Coalfire, commented on this issue last month. He says, "Organizations that weren’t positioned to quickly pivot to an all-remote workforce or to solutions that promote business operations beyond their brick-and-mortar facilities have struggled to adapt to this ‘new normal’. Migrating systems from a ‘legacy’ on-prem solution to a highly available remote-access-friendly solution can be loaded with changes and nuance that are not immediately apparent. These can create security issues that could require expensive and time-consuming re-engineering to mitigate. Those organizations that had to scramble are likely coming up short on cybersecurity controls like monitoring and analytics, which could be part of the anticipated uptick in spending as reported on the survey."
Being able to monitor risks, especially as more and more data moved to the cloud, compounded the stress many organizations were already facing with COVID-19. Although companies may be increasing their overall budget to deal with this new rise of cyber risk and cyber threats, where to allocate their resources becomes an ever-increasing concern. Cloud security especially became a constant worry as workers moved to remote spaces, and there weren’t processes in place to protect company assets. This, coupled with countless industries suffering revenue losses, made tight budgets even tighter. Companies were looking for effective ways to cut costs, all while trying to expand their cybersecurity workforce to address this new constant threat of data and security breaches. Investing their tight budgets into something that could automate a portion of their risk assessments may be the answer CISO’s are looking for to stretch their hard-won dollars.
Padraic O'Reilly, Co-Founder of CyberSaint, says: “So the question becomes, how can we take vulnerability data and get rid of the noise? And to what extent can you automate controls? Organizations have begun to realize that if they can automate even half of their controls, they can drive down the cost of compliance checks, auditing requirements, and regulation requirements. If they can do this in real-time and link it to risk, there’s also the opportunity to bring it ‘upstairs’ and show CISO’s and other boardroom executives what is happening live. That increases the likelihood of increasing both budget and awareness.”
When we’re looking at resolutions for these growing pains, there’s an easy answer: automation. Automation gives businesses the ability to decrease operating cost budgets by reassigning employees and resources away from managing unwieldy assessment spreadsheets or overgrown, modular GRC systems. Through automation, it’s possible to put those employees to use doing higher-level jobs like actively assessing for risks.
“You’re freeing people up to do the jobs they’re meant to do,” O’Reilly goes on to say. “One of our companies told us that 80% of the individuals who deal with controls have nothing to do with the control, and they’re not a part of the compliance team. That information is always sitting there, but it’s a part of an over-complicated process that most likely includes a spreadsheet for reference with 400 columns that someone has to go through manually. By automating this process, you’re freeing up company resources and people to do their real jobs.”
The situation is exacerbated by the fact that on a greater scale, we are all also facing a cybersecurity talent shortage. There are simply not enough cybersecurity professionals to go around in the industry. According to a Gartner 2019 CIO survey, 48% of midsize enterprise CIOs intend to spend the largest amount of new or additional funding on business intelligence or data analytics solutions. Yet, also according to Gartner, most companies are competing to fill the same roles with the same talent profiles. Of all S&P job openings, 39 percent are for just 29 roles. When coupled with the fact that recruiters are tasked with finding job candidates that meet incredibly specific demands, the numbers of available and qualified candidates decrease dramatically.
One way to remedy this cybersecurity talent gap is to invest in software that can analyze risks in real-time as well as automate some of the risk assessment process. This has the potential to significantly decrease operating security budgeting, thus giving organizations the opportunity to recruit more security talent for jobs that will have a high return, as they won’t be spinning their wheels on outdated legacy processes.
Automating the risk assessment process has the ability to remedy the skills gap in two key ways: organizations won’t need to have cybersecurity workers going through various assessments manually, only to realize that by the time they finish, the process has taken too long, and the risks they initially cleared may be present once more. This process can waste precious resources, employees, and become unwieldy and expensive for many institutions. And two, by using solutions like CyberStrong that supplement current IT GRC stacks, it’s possible to make the outdated modular processes more efficient, allowing businesses can reallocate more resources to other parts of the company that may have been impacted more severely by COVID-19.
The bigger the operation, the more opportunity for making a more agile team and budget. “At the enterprise level, there’s more ambition for solving some of these long standings problems, now, if possible,” O’Reilly says. “Before COVID-19, there was a lot of talk about big issues in integrated risk and GRC. They were aspirational conversations and fascinating theoretical conversations. Now I see the security teams telling their senior leadership that we need to start this journey now.”
For automation solutions and more about how CyberStrong can give you and your employee’s the ability to take back time, contact us here. To listen to this webinar and learn more about how you can optimize your security budget, watch here.