Want cybersecurity success? You need the right skillsets

Data security has been on the minds of information technology (IT), business, risk, and audit professionals for as long as data has been stored on magnetic drums, tapes, discs, and other storage devices.

In recent years, however, because of the massive expansion of data repositories, the types of data being stored, and the advent of the Internet, it has become much more profitable to steal data and much easier to get it than ever before. To make matters worse, recent highly publicised data breaches at various major corporations have cost these firms tens of millions of dollars in corrective action, reputational damage and, in some cases, major internal organisational realignments. With the ongoing battle to protect corporate digital assets, company security budgets will continue to rise and, as a result, the demand for qualified IT security professionals will continue to outstrip supply.

Cultivating essential skill sets for IT security has become a vital topic. Some firms, based on the nature of their business and financial strength, will be willing to pay top dollar for the best possible talent and surround them with the best tools possible.

Other firms, due to either their business model or financial position, will take a less dramatic approach, thus doing the best they can with the available resources, prioritising funds toward a combination of general perimeter and detection activities, and place extra emphasis on protecting their most valuable and potentially damage digital assets.

Still other firms will outsource the majority of their security efforts, having decided they don’t have the technical ability, financial resources, or interest, based on the perceived risk and/or probability of a significant data breach. Whatever the approach, organisations should continually assess and reassess potential risks, risk tolerance, and changes in the organisations’ activities that may warrant a higher or lower level of desired security.

As the security cloud/outsourcing industry matures, companies need to continually assess whether security activities should be performed in-house or outsourced. Given the difficulty in finding and retaining security-knowledgeable professionals, companies should cultivate internal job candidates for IT security roles.

While internal candidates must be taught the security-based concepts, processes, and best practices, their current skills and experience provide a great platform from which to expand their knowledge and skills. There are various types of jobs required under the general data security umbrella, including non-technical roles, such as risk analyst/ manager and data security officer/administrator, as well as technology–based roles, such as security research analyst and network security engineer.

With respect to data security and cybercrime in general, the technical arms race will continue to accelerate. Also, cybercrime activities will expand in type, complexity, and frequency as the cybercrime industry matures. Currently, security breaches have primarily been in the areas of acquisition of personal/credit data, intellectual property theft and, more recently, corporate humiliation.

The types, tactics, and reasons for cybercrime will continue to expand, putting even greater pressure on organisations to expand their data security budgets and more vigorously protect their digital infrastructure. Now and in the future, the demand for data security professionals will continue to outnumber supply. This shortage will, in turn, force IT organisations to devise creative ways to protect their computing environment.