We all know about the income-inequality debate in America, and the controversy about too much wealth being held by the “one percent”. But did you know there’s also an inequality issue when it comes to our country’s cybersecurity?
It’s a little-discussed problem outside IT circles, but it’s having outsized ramifications for big and small companies trying to protect their corporate networks, and retain skilled security professionals.
The upshot: despite increasingly damaging and disruptive cyberattacks — and billions of investment dollars flowing into hot startups offering new security technologies — most companies are having a harder time than ever protecting their digital assets.
Why? Simply put, the nation’s most-skilled cybersecurity experts want to work on big, interesting problems. Maintaining the firewall for a regional bank in Cleveland, say, or protecting a mid-size law firm does not qualify as interesting. Interesting is protecting trillions of dollars at Goldman Sachs—or going toe-to-toe with Russian, Chinese or North Korean hackers at the CIA or NSA.
Interesting also means getting paid a lot. And most companies have a hard time affording the salaries many top cybersecurity pros demand. According to a recent report from DICE, an IT-focused jobs website, the average “Director of Security” makes more than $178,000 a year. It’s not surprising, given the demand. A report by research firm Frost & Sullivan forecasts that by 2020, 1.5 million cybersecurity jobs will go unfilled.
As the chief information security officer (CISO) at a consumer-goods company put it to us recently: “As you know, cybersecurity people are difficult to find and they’re really expensive, and (once) you get them trained and certified . . . somebody offers them five bucks more down the road, and they’re gone.”
Meanwhile, the slog of battling adversaries in cyberspace isn’t getting any easier. There are plenty of new, high-tech products available to companies to protect against hackers. But these systems throw off more security alerts than ever, tying up security pros’ time and making their jobs more difficult — and, in some cases, contributing to staff turnover. Still, people expect their health information to stay private online with their insurer, and when they transfer money electronically they expect it to go into the right account – not into a criminal’s pocket.
So what’s a CIO or CISO at a regular company to do? We have three pieces of advice:
First, start with realistic expectations. It’s more likely that you will get hacked than you won’t. The cost of “zero tolerance” for cyberattacks is absurdly high (not to mention impossible), and you most likely can’t afford it.
So instead, have adult business conversations with your executive team, your board, and your security staff about cost versus risk. Focus on protecting what matters most, and decide what risks you’re going to accept. For example, one legitimate outcome of such a discussion could be to decide – in advance – to accept a certain level of financial exposure in the face of a breach. Maybe you cover it with cyber-insurance. Maybe you simply accept the potential impact and move on—like any other business risk. Maybe you choose to run a higher risk of advanced attacks from state actors in lieu of upgrading expensive technical infrastructure. There are no wrong answers here, just choices.
Second: Think through whether you can manage your security exposure yourself, with your own paid staff, or if you want to partner with an outside provider. You wouldn’t be alone in outsourcing. The hassle factor involved in hiring and maintaining a fully staffed security team is high. According to Gartner, organizations collectively spent $9.4 billion on such managed security services in 2016. A report from Forrester reveals that 74% of organizations that turned to these “as-a-service” security offerings did so because they needed specialized skills.
But while it can be appealing to enlist the help of experts, it’s critical to look behind the curtain. When they alert you to a problem, you deserve to know how they uncovered it. More important, they should tell you what you need to do to fix it, not just tell you something’s wrong. Outside providers should be transparent about what value they deliver, what existing investments they integrate with, and any additional new spending needed to realize full value from their offerings. Ask them how they will quantify their value after your first year of service . . . and then ask for a list of references.
Finally: If you do decide to go it alone, and manage your security with internal hires, spend time deciding what your “shopping list” should include, and make sure not to forget less obvious costs. One obvious area of investment: what technology solutions do you want to buy, and how much do they cost over time? What’s the cost of training new staff on the technology and keeping them up to date on new developments?
Something that’s frequently overlooked is the cost of maintaining your level of staffing and expertise at a consistent, predictable level, particularly if you’re building and staffing your own security operations center. Think you’re going to retain your security analysts for five years? Think again. Instead, have a plan for matriculating your staff to more senior positions and dealing with churn. Identify new sources of talent and develop methods to bring in staff at more junior levels, and then grow them to higher levels of expertise.
In a sharply bifurcated world of cybersecurity talent, there’s a good chance you’re a “have not”, and not a “have”. But if you approach your security program smartly and deliberately, you can make your security investments work harder. And maybe the next time an attacker peers in your proverbial window, they might decide to keep walking and go after an easier target down the block. If they don’t, you won’t be a sitting duck.
This post originally appeared on Forbes.
Dave Merkel is the co-founder and CEO of Expel*, a security startup based outside Washington, DC, and the former CTO of security companies FireEye and Mandiant.
Abhi Arunachalam is an investor at Battery Ventures in Menlo Park, CA and a board member at Expel.
*For a full list of all Battery investments and exits, click here.