Writing for IBM Midsize Insider, Christopher Burgess offered up his thoughts on 2014
Moving into 2014, the chief information officers (CIOs) of small to medium-size businesses (SMBs) have security challenges ahead of them. In an eWeek piece, Michelle Maisto interviewed Steve Durbin, the Internet Security Forum’s global vice president, who made several recommendations of areas of focus for the information technologist in 2014. These included bring-your-own-device (BYOD) and cloud, personally identifiable information and intercompany data sharing.
Contemporaneously, CSO Online offered an in-depth piece by George V. Hulme, which called out five specific ways in which enterprises should reduce risk: By closing the skills gap; shifting away from a regulatory compliance mindset; improving incident response; communicating to business, not at business; and shifting to increasingly data-based decision making. All of this advice comes down to two ideas, both vital to implementing a security regime within SMBs and enterprises: Training/education and data analytics.
Train and Educate Staff
An opportunity exists to enhance the knowledge of IT professionals and their ability to harvest available data and make solid choices based on that data. These decisions may be proactive, to prevent security incidents from occurring, and reactive, focused on the use of data analysis to reach complete and rapid incident resolution. A portion of the recipe for success requires an investment in current personnel.
It is almost always more cost-effective to make an educational investment in current staff than to step out into the marketplace to find individuals with specific talents; the marketplace is crowded with others looking for that very same talent. Daniel Kennedy, research director of information security at 451 Research, commented in the CSO piece, “We are always seeing conversations about staffing concerns. And it’s not just small and mid-sized companies that are having trouble finding and retaining talent, it’s a problem even at the top.”
Analytics
While enhancing employee skill sets is important, it is equally important that IT make use of tools and resources that are up to date with today’s — not yesterday’s — risks. This may require a different way of thinking and collaborating internally. Data can overwhelm an IT team if collected without a road map to utilization, with the result that the team finds itself lost in data. Having in place the analytics tools required to leverage data will in turn keep the CIO’s team working smarter.
Better empirical data analysis can be achieved. In addition, access to similar industry data sets serve to increase the overall knowledge base of the IT security team. Durbin explains, “Cyber resilience requires recognition that organizations must prepare for a threat. It requires high levels of partnering and collaborating, and for organizations to have the agility to prevent, detect and respond [to an event] quickly and effectively.”
In sum, SMBs will be wise to invest in the education of their current staff. The investment not only raises the level of knowledge but also the overall capacity of the company to address current threats. Furthermore, businesses should encourage collaboration and share knowledge within company walls. A decision by an IT professional can no longer be made on the basis of instinct and experience alone; as noted, empirical data and data from other companies must now be factored into the equation.
Source: http://midsizeinsider.com/