Building cyber resilience

Cyber resilience is a whole of business concern, but even cyber security teams are struggling to keep up. 
The threat of cyber security breaches is constant, and the damage they can cause is becoming greater. The average cost of a cyber breach to an organisation is more than $270,000, however companies that fail to adequately protect customers data could face fines of $50m or more under a legislation that was introduced in the back half of last year.  
Building cyber resilience across your whole business is a necessary step all organisations now need to take, but when your cyber security team isn’t yet up to speed, CIOs and CISOs have a long way to go to increase the skills sets in their organisations.  
The risks cyber security pose are so great that the government is creating new regulations to keep businesses and customer data safe. In 2019, APRA introduced prudential standard CPS 234 Information Security to ensure that financial service and insurance businesses has appropriate measures to be resilient against information security incidents (including cyber attacks) by maintaining appropriate information security capabilities. And they are rigorous is ensuring compliance. In July this year APRA released the results of an independent tripartite cyber assessment, which will eventually cover more than 300 business, and the results highlight several concerning gaps.  
The businesses reviewed failed to meet the standard in six key areas: 
  1. Incomplete identification and classification for critical and sensitive information assets. 
  2. Limited assessment of third-party information security capability. 
  3. Inadequate definition and execution of control testing programs.  
  4. Incident response plans not regularly reviewed or tested. 
  5. Limited internal audit review of information security controls.
  6. Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner. 
This report highlights the fact that organisations are still struggling to equip their cyber security teams with the right capabilities whether through lack of understanding of the requirements or through an inability to secure the skills that are needed in the current tight tech talent market. It also demonstrates that cyber security is a whole of business concern, not just limited to a cyber security team. 

In demand Cyber Security roles

While cyber security needs to be a concern for all employees, there are a number of roles within the cyber team specifically that organisations are currently looking for. These include:
  • Operational security (SOC and SIEM)  
  • Cloud Security  
  • SecDevOps and penetration testing skills  
  • Application security 
  • Digital forensics and incident response  
  • Security operations and engineers  
  • Security architecture and threat intelligence  
  • Staff and customer identity specialists  
  • IAM platform implementation  
  • Security consulting
While we know these roles are in high demand, the supply of talent to fill these roles is increasingly challenging to find. Our Cyber Security Report found that globally more than 90 per cent of leaders said that the skills gap has affected their ability to implement their cyber security strategy. Additionally our latest Salary Guide: IT Edition found that 50 per cent of employers in the technology industry are looking to increase headcounts in the year ahead, but only 44 per cent of technology workers intend to stay with their current employer. The top factors driving turnover include; a lack of promotional opportunity, an uncompetitive salary, and poor management style or workplace culture. What do they want? The opportunity to improve their technical skills, a pay rise and the option to work flexibly.
If you want to keep up with changes companies are facing, consider these factors. 

Plan ahead

Understanding an organisation’s future needs in the technology space can be challenging as the pace of change in this sector is fast. Now as many businesses have embedded their digital transformations, they are realising the future opportunities that are now available to them. By understanding future recruitment efforts you can stay one step ahead of the game with hiring intentions to meet the demand with your skills. 

Constantly review your recruitment processes 

Remote hiring became the norm during lockdowns, but ask yourself if this is still the best way to assess a potential employee’s suitability to the role and the company culture? Also consider your remote hiring processes. As the trend to remote hiring gathered pace, market answered the need by designing software and models to assist organisations to find their best fit through technology innovations. Research the market to identify any solutions that might help make your processes more effective.  

Consider where undiscovered talent might be

While looking outside of standard locations has become the norm, have you considered looking at different demographic profiles too? Remote work means organisations can hire from many different geographies including rural and regional and internationally. There are however many complexities around regulation and compliance of hiring workers in different countries, as well and language and time zone barriers to consider.
Looking beyond your standard technology talent network is also of benefit to find the people you need. Consider any transferable skills that might make someone from a non-tech background a perfect candidate, also consider reviewing your hiring processes to make them more accessible to neurodivergent or people with a disability.

Reflect and retrain

The pace of change in the technology sector is faster than most others, and therefore skills can become redundant faster than other industries. Keep your technology professionals updated with ongoing learning and training not only to build the skills you need internally, but to also help with staff retention. With workers citing technical skills development as a key desire, organisations that have robust formal and informal learning programs can become an employer of choice. Additionally mentoring and buddy systems for newer workers joining an organisation can help with onboarding and foster a sense of belonging at work – a key element to any retention strategy.

Embed cyber security skills across your whole organisation

Almost 95 per cent of all cyber breaches happen because of internal human error. The wrong link is clicked on, a file is forwarded in the wrong way, two factor authentication is skipped…. Building cyber resilience across your whole of business is necessary. Formal learning and assessment programs should be built in, and constantly reviewed. And note taken of those internally who might not currently be in a cyber role but show aptitude towards it could be further nurtured and encouraged to learn more cyber skills.