CISOs are on the back foot. There’s no end in sight to critical industry skills shortages and gaps, leaving security teams dangerously under-staffed. At the same time, businesses are embarking on a massive digital spending spree that has expanded the corporate attack surface and put more mission-critical systems and data in harm’s way. Given these challenges it could be tempting to consider filling those vacant positions with former cyber-criminals. That would be a mistake.
Instead, enterprises should work harder on building a security-by-design culture from the ground-up—predicated on more security-aware employees, a Zero Trust technology approach and outsourced security operations (SecOps).
Turning up the heat
Even before the pandemic, reports suggested CISOs were at risk of burning out, such are the stress levels they face at work. Things have not improved. Last year, nearly half (48%) said work stress has had a detrimental impact on their mental health, almost twice as high as in 2019. Nearly a third said it impacted their physical health and a quarter admitted they’d turned to medication and alcohol as a result.
These findings are not surprising. Many organisations have undergone tremendous digital transformation during the pandemic, to support mass remote working and build new ways to reach their customers. Investment in public cloud is forecast to grow 18% this year versus 2020 and again next year by a similar amount to exceed $362bn as a result. Yet those new cloud assets and remote working endpoints mean more security gaps and targets for threat actors to aim at. Around two-thirds of medium and large UK businesses told the government earlier this year that they’d been breached over the previous 12 months.
This would be a challenge to manage even with a full complement of cybersecurity professionals in the department. But skills shortages have reached critical levels. The latest data suggests over three million professionals are needed to fill positions globally, including over 27,000 in the UK. Roles in high-demand areas such as cloud security are even more likely to be left unfilled.
All of this could make hiring a former cyber-criminal an attractive prospect. Although few firms would want to admit it, anecdotally this is already happening. It makes sense on one level; it’s often said that the best cybersecurity professionals have to think like a hacker, to understand how to break things so they can put them back together again. Well, why not go straight to the source and recruit the people who know best how to do that? For a few very good reasons.
Why ethics matter
After many of years of lobbying, the profession finally received Royal Charter status in 2018. That’s more than just a title. It puts information security on a par with medicine, law and accounting in being a sector where those who work within it must follow the highest ethical and professional standards. Can you be sure that someone who has pursued a life of criminality has what it takes to do so? More practically, can you trust them to have access to your most sensitive data and networks? Former malicious hackers may still be connected to the cybercrime underground, and tempted by big money “jobs”. You wouldn’t hire a burglar to secure your office, so why hire a hacker to secure your networks?
There’s also a bigger picture: if firms started hiring ex-cons en masse, what kind of message does that send to those still engaged in criminality? It may encourage many budding threat actors to work “underground” for a few years, safe in the knowledge that it could be a stepping-stone to a good job in the future. We need to disincentivise this behaviour, not encourage it. That’s not to say that any kind of criminal record should automatically disqualify a candidate. There’s a big difference between someone who made a couple of mistakes in their youth and a career hacker.
From the ground up
So what are the alternatives? The good news is that there are plenty, and they are all achievable with the right strategy. It starts with training your staff to become more cyber-aware. Employees are often described as the weakest link in the cybersecurity chain, which is why phishing attacks are still one of the most common threat vectors out there. But by the same token, if you train them up right, they could be a fantastic first line of defence, capable of reporting anything suspicious that sneaks past your email filters. The key is to use real-world simulations that can be tweaked to replicate current threat campaigns, and to keep lessons in bite-sized chunks: little and often.
Next, focus on technology. Despite being around for over a decade, Zero Trust is gaining a huge amount of publicity at the moment, and rightly so. When organisations like Microsoft and Google start adopting something internally, you know it’s a model to emulate. Zero Trust principles are based around the idea of “never trust, always verify”. That means assuming your organisation has been breached, segmenting networks to contain any threats, restricting users along “least privilege” lines, and continually authenticating. Start off small with bite-sized projects to get boardroom buy-in. The good news is that you may already be using many of the technologies recommended by analysts, including multi-factor authentication (MFA), asset management, and endpoint detection and response (EDR).
That brings us on to the final pillar: SecOps. Here skills shortages have hit particularly hard. With so many security tools pushing alerts out to security analysts, many feel overwhelmed by the workload, and unable to prioritise which need addressing. That can let real threats through and lead to teams chasing up dead ends and false positives. This is where third-party Security Operations Centres (SOCs) can add real value. Organisations can take advantage of the economies of scale provided by outsourced operators, and the fact they have visibility into threats across multiple customers. Most importantly, you can be sure that all staff have been trained professionally, act ethically and have learned their skills legally.
By Scott Goodwin, CISO and co-Founder, DigitalXRAID