EXECUTIVES SAY SECURITY IS TOP OF MIND, BUT SEARCH DATA PROVES OTHERWISE

By Ben Lorica, Chief Data Scientist, O’Reilly

From media headlines to industry surveys, most business executives across industries are continually naming security as one of their highest priorities. After the myriad of globally destructive breaches that 2017 brought us, from Equifax to WannaCry, it makes sense that organizations are trying to convince consumers and employees alike that they value the safety of their data and are doing all they can in the fight against hackers. But is all of their talk actually resulting in action?

According to new data from O’Reilly’s online learning platform, Safari, it’s not. To find out what organizations are really focusing on, O’Reilly analyzed search data from Safari’s user base of more than two million business and technology professionals. It found that despite the grave importance of cybersecurity in business and technology today, there’s a concerning lack of activity in this area when it comes to what skills and trends professionals are searching for – and, therefore, what they’re prioritizing.

Along with the increasing sophistication of cyber attacks and the consequences of becoming the victim of one, the gap between the number of qualified security professionals and the number of open security positions is becoming even wider. As legacy systems are being replaced by hybrid cloud environments, it’s imperative that organizations across industries start taking security seriously. Without impenetrable security, these organizations will suffer a loss of not only funds but also customers (let alone their reputations).

What Security Search Data Tells Us

Despite its priority claims, “security” ranked 47th on the list of Safari’s top search terms. “Hacking” came in at #127 and Wireshark, an open-source packet analyzer tool, took the 141st spot. It is possible that security activity is included in other development work or hidden within other search terms. It’s also possible that organizations could be moving to the cloud and therefore adopting the security features offered by their cloud providers, as noted by the popularity of cloud-related search terms, such as “Amazon Web Services” and “microservices.”

Whatever the case may be, security is an essential and incredibly broad area that deserves higher activity and ongoing attention from professionals across all industries. In our age of frequent and increasingly sophisticated cyber attacks that are capable of shutting down global operations within seconds, it’s no longer enough to have an educated, security-savvy C-Suite. The whole organization must be paying attention to security policies and best practices. The smartest organizations are the ones pursuing “baked-in security,” woven into the tools and structure of an organization, rather than “bolted-on security,” implemented after a product or process is already complete.

How To Improve Your Organization’s Approach to Security

In order to start taking the best security practices head-on, you’ll need a baseline understanding of where your organization stands. Here are some of the key questions to ask as you begin your own security audit:

Does your organization’s leadership team know what the security policies are? What about the other employees?

Although it might seem like having an educated C-Suite is enough, today, every employee an organization has influenced its security posture. Every employee is accessing the organization’s network through their own unique identity, which means that every employee can be used as a pathway to compromise the network. Certainly, some employees have a much larger bearing on security than others, such as those who wield the widest access to the company’s most sensitive data. For this reason, you should start security education with those who present the highest risks and build out from there. For example, while business leadership definitely comes to mind as among those who should be immediately and most thoroughly educated on organizational security, what about administrative assistants? Do they have access to everything that your C-Suite has access to? Chances are they do and that they’re less security-aware. If this is the case, simple (and common) attack vectors such as phishing and social engineering could easily lead to serious consequences. And don’t forget about passwords. Although they may seem like a basic component of security, their impact can be huge. Employees reusing passwords or leaving default passwords in place can quickly create problems. In fact, London-based consultancy Wills Towers Watson found that 66 percent of breaches in 2016 were caused by “employee negligence or malfeasance.” Making sure that every employee, from the CEO to the summer intern, is thoroughly educated on security hygiene and basic policies, as well as why they should care about following them, can help address many of these issues.

How distributed is your technology stack?

The more distributed your technology stack is, the more challenging it becomes to secure it – and the more important it becomes that security controls are set correctly from the beginning. Sprawl presents a lot of access points that need to be protected. In addition to the increased security challenges, maintaining flexibility and agility while ensuring all of those access points are protected can be especially difficult. If your organization does choose to implement a distributed technology stack, making sure that employees are educated on every tool they’ll use and how to protect the sensitive information each contains is essential.

Does your organization have a plan for how it will stay strong amid the growing cybersecurity skills gap?

Even if your organization’s security force is one to be reckoned with right now, consider how it will be in ten years. Evolving technology, advanced cyber attacks and a lack of qualified professionals to help protect against them are inevitably in every organization’s future. Consider this: cybersecurity has the highest demand as well as the largest gap between demand and supply, with 68 percent of organizations reporting high demand for cybersecurity skills and only 43 percent reporting proficient cybersecurity skills already present in the organization, according to a recent report by Capgemini. The near future is not looking much better – the Information Systems Audit and Control Association predicts a global shortage of two million cybersecurity professionals by 2019. Unfortunately, it’s likely that your organization is going to face the challenges that stem from this shortage, including having to rely on your existing security staff more. Planning accordingly by prioritizing a “baked-in” security strategy is a more sustainable model. It also means that the security resources you can procure will be used more efficiently and effectively by the whole organization.

With rising cyber-risks and a lack of skilled security staff to help organizations figure protect themselves, it’s understandable that security is an area some employees find it preferable to ignore. However, it’s imperative that professionals across all industries start paying more detailed and frequent attention to security, and that organizations and their security teams prioritize a “baked-in” approach that will help carry them through all the changes technology brings. In addition to efforts from the security team, every employee should take a moment to ensure they know how to do their part in protecting against cyber attacks – and, if not, peruse all the resources they have available to educate themselves.

About the Author
Ben Lorica is the Chief Data Scientist at O’Reilly Media, Inc. and is the Program Director of both the Strata Data Conference and the O’Reilly Artificial Intelligence Conference. He has applied Business Intelligence, Data Mining, Machine Learning and Statistical Analysis in a variety of settings including Direct Marketing, Consumer and Market Research, Targeted Advertising, Text Mining, and Financial Engineering. His background includes stints with an investment management company, internet startups, and financial services. Ben can be reached online at @bigdata and at our company website, http://www.oreilly.com.