With the roller coaster ride that was cybersecurity in 2021, we’re all curious to see what 2022 has in store for our industry. To help shed some light on what to expect, we recently hosted a webinar featuring Lewie Dunsworth, Nuspire CEO, and J.R. Cunningham, Nuspire CSO, who offered their cybersecurity predictions.
Pandemic fatigue continues to affect performance across every company in every sector, and it’s not going away anytime soon.
“This isn’t all about security,” said Lewie. “You have to focus on people.”
Lewie discussed the importance of flexible work models, not only when it comes to work location, but also flexibility in schedules. He emphasized that now is not the time to do more.
“When teams are fatigued, it’s important to focus them on the things that really matter,” Lewie said.
J.R. added, “It’s critical to focus on the human connection and helping teams navigate this time by supporting them in whatever way we can.”
For example, J.R. said he started building in budget for controls that can be used at the personal level (i.e., password managers) to account for working from home. He took it a step further and extended security support to not only employees, but also their families.
“If my team member’s kid is having issues on their personal iPad, we’re here to help,” said J.R. “It’s all about creating an environment that’s not just secure, but also reflects employees’ needs beyond those that occur in the formerly typical office work environment.”
“Many organizations over past couple of years have felt a lot of pressure to digitally transform quicker and at greater breadth than anyone expected prior to pandemic, and what that’s doing is creating friction between digital transformation efforts, IT spend and security spend,” said Lewie. “This is forcing security leaders to not only build compelling business cases to invest in new security services, but also validate the efficacy of those controls.”
According to Lewie and J.R., it’s all about starting small and controlling what you can control. Instead of taking on large purchases in three- to five-year buying cycles, focus the projects that you can embark upon that gives you the maximum amount of risk return at that moment.
“You have to tie results back to any asks you make to leadership,” said J.R. “One of the common failures we have in the security profession is that we’re not good at advertising our wins. Celebrate those wins by showing how your security project supported business objectives and reduced risk.”
It’s important to anticipate regulatory changes, but sometimes the inclination of security teams is to start implementing controls before those changes are in place.
“Don’t overreact – any regulation takes time,” said Lewie. “Obviously you can’t stick your head in the sand, but what you can do is assume it’s going to come and begin adopt strategies to set you up for when it does come. Be pragmatic in your approach.”
A helpful thing to remember is that regulatory changes often cover the basics versus introducing net-new rules.
“When GDPR came about in 2018, it spurred all sorts of privacy laws,” said J.R. “We often see organizations have a knee-jerk reaction and really stress about it, but if you unpack the laws, they center around the basics, including data transparency, disclosing whom you’re sharing data and allowing people to correct data about them or opt out entirely. There may be nuance to various regulations, but the core substance of them generally remains the same.”
The past two years have galvanized a shift in employees’ expectations around their careers and the environments they want to work in. Given that remote work has become the norm in businesses globally, employees can work anywhere in the world now, providing more options within the job market.
For the security industry, this has exacerbated its talent shortage challenges.
“It’s gotten to point where at some point in time, we need to stop talking about it and just do something about it,” said Lewie. “There are certain tactics you can leverage, and the first one is always automating fundamentals.”
Most employees don’t want to spend their days focused on rote tasks – they want to work on something that lights them up – something they can be proud of. Give high-value employees high-value projects. And stop doing the things that aren’t working anymore. Embrace core capabilities and outsource the rest.
“I had someone tell me it wasn’t the Great Resignation but rather the Great Renegotiation. It’s about retooling what it means to be cybersecurity professional,” said J.R. “What we do is considered a desirable, multifaceted industry to get into; however, employees want to have more freedom and flexibility that in the past wasn’t germane to our situation, such as having access to social media.”
Lewie reiterated that often, security organizations create their own talent shortage and resource constraints because they’re trying to do too much. Focus on being really good at a few things instead of being mediocre at a lot of things.
Ransomware and how organizations respond to it will continue to be a hot topic in the security industry, and speed is everything. For Lewie and J.R., having a solid incident response plan, rehearsing it and revising it as needed is critical to combatting ransomware. And your response shouldn’t focus solely on the big incidents.
“You have to know your IR plan inside and out, and remember that it’s important to focus on the little incidents, not just the larger ones where the lawyers have to get involved,” said J.R. “We’ve seen many smaller threats snowball into massive incidents because early remediation didn’t happen.”
The days of the CSO or CISO being the sole owner of cybersecurity responsibilities are over. With the industry evolving so quickly, everyone has a stake in cybersecurity outcomes.
“Bottom line – everyone in an organization who is being held accountable to deliver on business goals, whether that be financial, risk or legal has to have an eye toward cybersecurity,” said Lewie. “Learn to anticipate and be comfortable with questions from stakeholders across your business.”
J.R. said that he often jokes that security professionals are some of the most arrogant people because there’s this expectation that they have to know it all.
“I cannot hold the entire cybersecurity industry in the palm of my hand, and I don’t have all the answers,” said J.R. “The industry is moving so fast and it’s so diverse – don’t assume that you have to know it all.”
Watch the full webinar, including results from a survey on the most important cybersecurity issues for 2022.