Barely had the internet started to tiptoe into public consciousness, when cyberattacks became a feature of Hollywood blockbuster films. Now that it has become a core part of everyday life, cyberattacks have stepped out of cinemas and into the real world, and truth genuinely can be – if not stranger than fiction – then at least more frightening.
The frequency of cyberattacks seems to be going up all the time, to the point where it’s hardly a surprise that, according to Gartner’s “2018 CIO Agenda Survey“, no fewer than 95 percent of Chief Information Officers (CIOs) expect cyber threats to increase over the course of the next three years.
In spite of this, however, only 65% of organisations have a cybersecurity expert on their staff.
According to the same research, many Chief Information Officers see their main function as being to promote growth and help their company to gain market share.
On the one hand, this is totally understandable, after all, companies need revenue to pay their bills (and their salaries). On the other hand, this attitude does highlight the fact that there still seems to be a lack of understanding of the damage cyberattacks can cause, not just to a company’s infrastructure and/or data, but to its reputation amongst the public. Even amongst people (like CIOs) who really ought to be only too aware of the fact that cyberattacks have the potential to destroy companies.
It’s even more surprising that this attitude persists in a post-GDPR world, although in this context it may be significant that the survey was conducted on a global basis and hence may have included people who did not see GDPR as their concern (even though it does, in theory, apply to anyone handling the data of EU residents).
It would be lovely if all companies could avail themselves of the services of an expert Certified Information Systems Security Professional (CISSP), if only via the consultancy route (which, at current time, would probably be the most feasible route for most SMEs).
In the real world, however, CISSPs are few and far between and are, as such, in very high demand. As a result, even larger companies may have to look at alternative approaches to obtaining the expertise they need.
In practical terms, this could be achieved by using external auditing companies to identify existing strengths and weaknesses and then making a decision on:
- where it would be appropriate to “buy-in” an expert
- where it would be best to develop in-house expertise, and
- where the most pragmatic option would be to use external consultants.
The decision on how best to achieve this expertise will vary from company to company, and many could start with hiring an external specialist who offers limited but essential advice, and perhaps build up to training somebody to carry out the entire role in-house when they feel confident that this will provide value.