Cyber Security Status
On December 2018, Forbes posted an article, predicting how Cyber Security will be in 2019. With various cases like Media Prima being hit by ransomware, or Marriott Hotel’s series of data breaches, one can easily see how important cyber security will be in the coming future.
evolution of Security Skills
Today, Security is at the top of mind for many companies, especially in this digital driven era. Many companies rely on technology to run their businesses. Basically, Cyber Security skills has evolved from “good to have” to “must have”.
is a growing Business Imperative
With the increase of investment in technology by companies, so is the importance of Cyber Security. To put it this way, the more convenience the technology brings, the more vulnerable it will be. Companies that invested heavily on technology knows this theory and therefore starting to treat Cyber Security as a standalone discipline and putting it as high priority objectives.
training is needed to close skill gaps
With the increasing awareness of companies on Cyber Security, the demand for skilled Cyber Security Professional increases exponentially, estimated 37% per year growth in job demand to be exact. Some company compensate the lack of supply by partnering with Cyber Security firms or upskilling their existing workforce. 60% of companies send their workforce for Cyber Security training and 48% of them pursue for certifications.
skills need to be deep and wide
For many of this companies (between 18% to 32%), knowing is not enough. There are a wide range of skills that these companies are expecting from their Cyber Security Professionals. They are expecting a significant improvement from their existing security expertise and their new aim for their security goal is not to be impenetrable, instead is to proactively find cracks in their armour before attackers discovers it.
Download the whitepaper to read more about the evolution of cyber security skills.
Building a Culture of Cyber Security
Having a professional Cyber Security expert is not
enough, it takes more than that to protect a company’s Cyber Security. As what
Warren Buffett said, Cyber
Security is the number one issue facing humanity. Therefore, Cyber
Security is not just IT’s problem, it’s executive-level problem. Uber, Target,
Equifax, Dyn are just some of the name that get affected by Cyber Attack. For
that, Company need to build a corporate culture that take Cyber Security
There are few principles to follow in order to build a
cyber security culture in your company.
Principle 1: Integrate Cyber Security into your business strategy
A company’s leader should measure the value of Cyber
Security accurately and that message need to convey to everyone in the company.
It should be one of the mission-vision of the company to keep the company safe
from Cyber Attack. As you may probably know now, it’s impossible to have an
impenetrable network, the only think that one can do is to make sure everyone
knows about the important of Cyber Security and practice the steps to prevent
it happening. to show a good example, J.P Morgan Chase, a Finance powerhouse,
double their Cyber Security budget to half a billion dollars and Microsoft plan
to invest $1 billion annually on cyber security research and development.
Principle 2: Your corporate culture should reinforce a culture of cyber
Many companies are starting to have CISO, that is
Chief information Security Officer. Previously, CISO report to Chief
Information Officer (CIO), but now, CISO direct report to CEO in order to
improve efficiency. That is because CIO main focus usually is on efficiency and
accessibility, whilst CISO main focus is to identify the security
vulnerability. Booz Allen Hamilton, a military and business management
consulting firm, even have their CIO report to CISO, in order to show the
importance of cyber Security.
Principle 3: your employees are you biggest risks
Believe it or not, research shows that IT employees are
actually the most like person to engage in cyber security risk. This shows that
training for every employee who have access to the network is crucial. Even the
most basic anti-phishing program will bring 7-fold return of investment for the
company. For that, never underestimate the training for your employees, and
don’t just limit to only your IT guys, it should be a compulsory course for all
your employees who have access to your network.
Principle 4: Detect, Detect, Detect
It is important to know that, detecting is more
efficient that preventing. Many companies focus more on preventing instead of
detecting. Yes, prevent is crucial, but detect is important as well. It is
advisable to frequently conduct penetration testing (Pentest) to discover
security vulnerability. Only with that, one can know what is wrong and what
will go wrong. Pentest is considered as white hacking, that is hacking a system
legally. A very famous exercise to conduct Pentest is the “red/blue team”
exercise. The red team will be those pentest experts whilst blue team will do
their best to detect and defense.
Principle 5: Collect what you need, share only what you have to
Often time, data breach happens on those businesses
that have no need for the data at the first place. It’s like keeping something
you don’t need that might bring you trouble. Manager often give order to
collect as much data as possible, without knowing exactly how to use those data
and how to use it the right way. Sharing data is also a problem leader need to
take serious action on. Data shared online are the easiest to breach, since it
is up there for anyone to grab. Therefore, sharing only the necessary is also
something a company need to incorporate into their culture.
Download the whitepaper to read more on how to build a cyber security culture.
All and all, human factors are the weakest point in cyber security. It’s that one simple click on the link that result in catastrophic disasters. Therefore, it is crucial for a company leader to send out the message to whole company, that cyber security is one of the major focus of the company and should be taken seriously. Right training for the right users is important as well, so that each and every one of them knows their role in protecting the company’s security.