Even before the pandemic, IT leaders were hard-pressed to manage growing cybersecurity threats.
And then the crisis hit. The overnight transition to remote work left companies with masses of more vulnerable endpoints exposed in their networks. Cyberattacks and data breaches hit record levels in 2020, with 77% of IT leaders noting an increase in onslaughts in the latest Syntax IT Trends Benchmark Report. Security concerns rocketed to among the top two issues for IT leaders.
Already-stretched corporate security teams and their outsourcing partners scrambled to implement secure and effective virtual-work environments, combat heightened threats, and onboard new tools and capabilities.
“Few corporate functions shifted priorities so much and so quickly when the COVID-19 crisis struck as corporate cybersecurity operations and the technology providers that support them did,” according to a survey of IT leaders by McKinsey and Company.
Organizations moved quickly to implement short-term solutions to protect their data. But they also recognized that innovative longer-term measures were required to proactively prevent new threats. Despite increasing security measures in 2020, nearly 80% of IT leaders believe their companies still lack sufficient protection, according to an IDG/Insight Enterprise 2021 study. For 2021, internal team and skillsets were among the top three areas where IT leaders had the least confidence in their current security capabilities.
The Next Threat: The Critical Cybersecurity Skills Gap
Internal resources simply aren’t cutting it for IT leaders. That’s especially true in the US, which suffers from what is estimated to be the largest cybersecurity workforce gap in the world; a recent (ISC)2 study found more than 40% of 879,126 IT security-related positions were unfilled.
A majority of IT leaders confirm they lack adequate cybersecurity resources – and that, consequently, their organizations are at risk. The extent of the shortage is projected to only get worse, as cybersecurity software development skills are highly specialized. It can take years to master critical application security tools that identify and classify vulnerabilities.
Equally pressing is the need to deploy resources aimed at strengthening defenses in areas hardest hit over the past year. The cyberattacks that took the greatest toll were phishing, followed by brute-force password attacks, stolen credentials, and denial of service, malware, and ransomware. In response, IT leaders are procuring enhanced tools for stronger protection and quicker incident detection and response – such as those addressing threat intelligence, bot detection, vulnerability scanning, and more.
To put next-level solutions in place, new and more advanced skills and practices are required. Security teams will need to evolve a greater range of technical competencies across their key strategic capabilities: governance, risk and compliance; threat management; SecOps; and new and existing solutions integration. Many IT leaders are finding it simply impossible to cover a broadening security scope against the time of upskilling or the cost of hiring more internal resources.
Companies, and their customers, are paying dearly for this critical shortfall. A lack of cybersecurity skills ranked among the top three factors that increased the average cost of a data breach, according to IBM Security’s Cost of A Data Breach 2020 Report. The United States logged the highest average cost of a data breach - $8.4 million - of any region in the world.
Outsourcing to the Rescue
IT leaders are struggling with a grim reality in the current cybersecurity climate. Internal teams acknowledge they just don’t have sufficient skills and knowledge to meet the reality of new, more complex risks, threats, and breaches outside the corporate network. They’re also tasked with meeting a strategic agenda to become more resilient and protected. The solutions they implement, however, must work practically and affordably within budgets impacted by pandemic belt-tightening.
With internal resources already taxed, it’s a challenge for many companies to build and scale security teams to counter the increasing number and complexity of attacks. As an industry leader in sourcing certified, rapid-deployment cybersecurity teams, Accelerance has had a front-row seat to the difficulties faced by US businesses over the past year.
“There is a growing resourcing strain on companies as they struggle to address rising cybersecurity threats,” says Larry Eighmy, Accelerance's head of cybersecurity. “Protecting organizations today is a round-the-clock job. Many companies are finding it impossible to maintain a fully-staffed, in-house security team that can respond to new or heightening threats, and meet the rising demands for cybersecurity scale and skills. Turning to a specialist security firm can provide you with the capability and the assurance that the most significant security threats are being identified and addressed.”
That’s exactly what IT leaders indicate they’re planning to do. Software outsourcing is a go-to option to fill technical skills gaps – closing system vulnerabilities and building future defenses within budgetary limitations. A record number of companies are looking to up their outsourcing this year, with cost control as a key factor when filling in-demand developer roles that command high onshore prices.
Under today’s level of cyber risk, outsourced security partners are “an absolute lifeline for overstretched teams,” says Faiz Shuja, CEO of SIPR, a risk-based security platform. “Organizations also rely on the range of services that partners provide to protect against advanced attacks, to a level they can’t always replicate in-house.”
Expert Insights into Security Outsourcing
What should you look for in a security partner? Accelerance recommends the following:
Advanced knowledge of cybersecurity metrics
Access to the best and safest security systems on the market
Actionable counsel on cyber threats and attacks
A demonstrable track record in engagements to mature security processes and harden security practices, along with the ability to transfer knowledge and capabilities to internal teams
US organizations made strides in 2020 to close gaps and upgrade their cybersecurity systems and practices, Eighmy says. However, insights from Accelerance’s global network of more than 250 certified software development firms reveal there is still a lot to be done.
“Maintaining a proactive security position is a constant, complex, and necessary effort – never before has that been so true as in 2021. You need to have a bench of resources ready to be called into action when needed. Without the right skills in place, you can be caught out during a harmful breach, which can be an expensive proposition,” Eighmy advises.
To be ready for that proactive response, Eighmy predicts an increasing number of companies will partner with specialized security teams that can keep up with the latest skills and tools that are difficult to keep current in-house.
Security Outsourcing in Action
Accelerance is currently advising a national mobile field service management company whose biggest customer requires proof of the company’s ability to meet stringent security standards. We created a compliance program anchored in the Center for Internet Security’s 18 critical security controls so the client could demonstrate key industry-standard proficiency. We also evaluated the strength of the client’s system through penetration testing and vulnerability assessment. Accelerance’s solution illustrates the step-by-step approach clients must take to adapt their operations to meet today’s security challenges:
Conduct a current state assessment that informs a program plan to identify and close security gaps with short, medium, and long-term improvement initiatives.
Build an experienced team of cybersecurity engineering, architecture, compliance, and leadership to help implement the plan.
Prioritize budgets and resources by using a risk-based approach that maximizes the return on security investments.
Develop a systematic approach that balances efforts to build a comprehensive security program while enabling ongoing management of imminent changes to the initial program.
Stand up a prioritization process, allowing teams to focus first on high-value security projects (“low-hanging fruit”) while also covering longer-term initiatives on the path toward a well-defined target state.
Accelerance Arms You with Best-in-Class Security Expertise
Now more than ever, security is top of mind. Identity theft isn’t the only concern – you could be the target for a cyberattack that cripples your business and its ability to serve your customers, damaging your reputation and credibility. Your company, your products, and your customer data must be protected.
With rising demand, Accelerance has elevated its security services for 2021, adding senior-level expertise and skilled partner firms to its certified global network. With an offering that includes proven proprietary compliance, risk, and governance practices, the Accelerance approach empowers the client by bedding in sustainable capability.
First, we do the “fixing and the building” to harden a company’s security posture, processes, and procedures. Then, we transition the best-in-class solution back into the organization to run internally. That critical transfer of optimized competencies embeds long-term resiliency and addresses the need to build internal capability rather than always relying on external resources like so many other consultancies force you to do.
Accelerance leverages an established track record in cybersecurity consulting. Our experienced professionals find the right resources and strategies to assess code and production environments for security risks. We evaluate multiple points of failure and help you understand what current and viable risks impact your business. Mitigating risks can involve getting the right security processes in place, tightening DevOps practices, pen testing, doing a PCI, PII, or HIPAA compliance assessment, or even load testing.
Vital to the strength of your software security is ensuring the right guardrails and practices are in place for your team to follow, documentation is properly filled out, and unnecessary risks are known and guarded against.
With security as a top C-level agenda item for 2021, now’s the right time for a consultation about the ultimate program for your current and future needs. We’re here to help.