CISOs and cybersecurity talent are in short supply these days, an alarming fact in light of the security breaches that defined 2014 and that will most likely continue to hit corporations in 2015. The threats of hacking, corporate espionage, and government eavesdropping loom over the enterprise, and, further complicating security efforts, tighter cybersecurity regulations are on the way. In such an environment, what’s a security-conscious organization to do?
For Nike, the answer lay in poaching cybersecurity talent from another corporation, according to a lawsuit filed by MasterCard earlier this month. The lawsuit alleges that Nike “conspired with its ex-CISO William Dennings and former head of information security engineering to poach cybersecurity talent,” the Wall Street Journal reported. The subsequent employee poaching violated non-solicitation and non-disclosure contracts, MasterCard claims.
The significance of the lawsuit lies in what it says about the state of the cybersecurity talent pool: that it’s small. So small, in fact, that in order to recruit qualified personnel, corporations are turning to ethically questionable tactics. Clearly, finding a strong CISO or security administrator these days isn’t as simple as putting an ad up on LinkedIn. It’s unfortunate, since organizations need competent security leadership now more than ever in order to remain in compliance with data privacy regulations and avoid disastrous data breaches.
Outside recruiting is often a given when it comes to filling a job position, but organizations looking to create a security leadership role or to bolster their existing security team should also look within. There may be a cybersecurity leader in the making already working in your IT department. Developing a security leader internally has the following benefits:
Existing familiarity with corporate culture and leadership, leading to smoother and more productive communications from the start
Existing familiarity with the organization’s long-term goals and needs
Existing familiarity with the organization’s IT infrastructure, applications, data assets, and cloud investments
This last point is critical. As we’ve discussed in this space before, in the cloud era, cybersecurity must focus on securing the data no matter where it is stored, whether on premises or in the cloud. Cloud security is a critical component of an overall data security strategy, but multi-vendor deployments can complicate matters, especially when compliance issues around data residency arise. An internal IT staffer stands a better chance of understanding the company’s security needs, risk priorities, and cloud deployments than an outsider. Training and promoting from within can therefore make more sense than looking for a CISO or security admin elsewhere.
Of course, there may be times when your organization’s security needs are out of step with security budgets, and current teams have to step up to the plate. In those cases, the IT team’s first step will be the same as that of a newly minted CISO or security admin: understand what you’re working with and where the risks lie.
A number of tools exist to accomplish this, among them our CipherCloud for Cloud Discovery, which detects, identifies, and evaluates cloud use on the enterprise network. Evaluation is done using our risk scoring system to help IT and security administrators determine which cloud services to adopt and which ones to avoid.
Want to know more about how the risks of cloud applications are assessed? Download our 5-minute technical note to discover how to properly assess the cloud security risks of the SaaS applications your organization’s employees use.