State of Cybersecurity (CompTIA Volley)
Carolyn April: Hey everybody. Welcome to the latest edition of Volley. I'm Carolyn April, and as always looking for my good friend, Seth Robinson, Seth, Hey, how are you? I am pretty well, pretty well, a little chilly but otherwise doing okay. It's been an abrupt change in temperature and I'm not quite acclimated yet. But you know, it's similar complaint to every year when the seasons change, but otherwise doing well getting ready to head off to jolly old England in a couple of days. Yeah, we're sending you over over there for RME. ICANN, right. Yes,
yes. Yes. Our producer Andrea is going to I'm staying here. Okay. You guys, someone has to hold down the fort. nothing bad
happens. Well, yeah, the only thing is the potential for government shutdown next, you know, next week during the conference, here in the US might mess up TSA and air traffic control staffing. I saw that they at least had a stop gap now through November. Oh, I hope so. I hope. Yeah, that's good. Because I don't want to have to have I don't think there'll be any problem. Getting there. But getting back is going to be an issue. If that's the
case. So good. I'm glad you read the headline I didn't read today. Well, I was instrumental in that. I mean, that was one of the things that I'm doing staying here. You know, I'm the home office. For you. I got shut down the phone said hey, we need just a few more weeks.
Yeah, get these people to get their act together. Yeah. Good. I'm glad you're in charge. Yeah, we need we need somebody in charge. That's for sure. I'm not sure
if it should be me. But here we are. Good. Good, good, good. Well, one of the things that you're going to be talking about at Aamir Khan is cybersecurity. And that's what we want to talk about today, we just released our new state of cybersecurity report, it is state of cybersecurity 2024, since we're looking forward at the trends that we expect to see over the next 12 months, and I think it was pretty interesting to see where people are in their cybersecurity journeys, what they're thinking about. I mean, I'd say in large part, it's a continued evolution of what we've been seeing over the past few years. But as always, we broke it down into four different areas. And I think more so than ever before. This year, those four areas really
break down into two different camps, the strategic and the tactical, I think companies are having to be much more strategic with their cybersecurity, just like they're having to be more strategic with their technology, it's not just a thing of just the tactics, you know, just locking the doors and keeping all the bad guys out. There's a lot of strategy that goes into it, from the objectives that people are thinking about, for their organization, to the types of decisions that they're making. And then there's the tactical side of things that gets into the skills and the products that people are using. So I think those two areas are really starting to emerge, and probably describe some of the difficulty that companies are having. I think we've talked about the difficulty that they're having, just being strategic with their technology, rather than trying to be strategic with cybersecurity is kind of a step beyond that. Yeah, you say they've definitely having some challenges, and they're definitely thinking more strategically, which is good.
The one thing that stood out for me at a high level is how many more of our respondents this year thought they're doing much better with their cybersecurity. So either people are just feeling more confident, for whatever reason, or there's some real, they're there. And they do feel like they're at least talking about cybersecurity, maybe in a more with a level of gravitas that they may be had not been in the past. So they
feel like they're doing a better job. But, you know, I'd be open to your interpretation here. But I took that as a good sign that at least that maybe means people are paying better attention, and the right kind of attention to what they need. As you said, it's not just about locking the doors and putting the fences up.
It's more it's far more in in reading the report. It's far more complicated than that, and much more sophisticated in the approach. And the number of people that need to be involved are far beyond the IT folks. I mean, clearly they are at the epicenter of the strategy. And they know the most, but it
really is kind of an all team effort when it comes to cybersecurity. And that's I think the other big takeaway, and maybe that's maturation. We're seeing people growing up a little bit about this discipline, which is good.
Yeah, I think we'll touch on a lot of that as we go through the discussion here. But I think probably, you know, you kind of questioned Are they just talking more about cybersecurity? Are they talking about the right things? I would say it's probably largely that they're just talking more about it. It's more front and center. They're more aware of it. And I think they're still building towards all the right ways to handle it, especially in this modern era with cloud computing with mobile devices now with a AI, there's a lot of things changing that approach to cybersecurity. And previously, a lot of companies just didn't talk about it very much at all, it was kind of an offshoot of handling the it handling the infrastructure. If
nothing bad happened, then you just assumed that your cybersecurity approach was sufficient. And I think companies are recognizing that they have to talk about it a lot more. And then the next step will be getting into the right things that they need to talk about.
Yeah, well, why don't we do we want to walk through some of our four P's the bucket areas here a little bit? Yeah, that's probably a good way to do it. So yeah, we've had these four areas for a few years now. And again, I think this year, I could really see how it breaks down into the strategic versus the tactical. But the strategic side of things starts from the very top, this is a very top down approach. And so we start with policy, by which we mean the mindset of the organization, you know, like, what, what are people thinking the leaders thinking that they want to do with cybersecurity, not necessarily the policies that they would write down, but like, what is the organizational culture and mindset around cybersecurity? And I think over the next 12 months, we're going to see that that mindset really involves doing a lot of risk analysis and risk management as a way of defining the investment in cybersecurity, and as a way of kind of quantifying cybersecurity initiatives. Yeah, I like this section on risk management, it seems to make the most sense to me to how you approach cybersecurity, because as we've learned, and no, this isn't a puzzle to be solved, you can't get to 100%. With cybersecurity, you're never
going to be there. They're all the way. So companies have to do a level of you know, risk analysis, and then learn how to manage that risk in order to say, you know, this is the amount that we're willing to, to risk, and this is what we won't, and then build a strategy around that. And I think that's really the only way to go about it. Because again, you can never, because the depth and breadth of the type of potential attacks and vulnerabilities and everything else out there are never gonna go away. It's like a you know, you're just chasing it all the time. So a better approach is to figure out okay,
what can we handle? What can't we handle? And how do we mitigate whatever? What risk are we willing to take? How do we mitigate it if it goes wrong? And I think that that, seeing that from companies is again, back to my point about seeing a little bit more of a level of maturity in the approach here. And it's interesting, because I think it's going to be very unique, depending on the type of company they are, how they approach this risk assessment, though, you know, whether you're a you know, a institution like a banking or finance that has a lot of rules already written in and compliance issues and, and regulations that you have to follow are really going to dictate strongly what your level of risk is going to be, and how much you're going to invest in cybersecurity protections, etc. Versus a another company that may take a little more loosey goosey approach, not necessarily a smart thing. I think there's a lot of companies out there who may think that they don't need as much or that their risk isn't as high. And that's them not doing their homework very well, because they're not really assessing what that might actually mean to them if they are breached in some way. So I thought this section was pretty fascinating. And the report, I think it's important. Yeah, I
think it's going to be really interesting to see how this develops. Another split that we see when it comes to risk management from one company to another is when we're looking at company size, we see a lot of medium sized companies say that they're following some kind of formal risk management framework. And then we see a drop when we move to the larger companies. And I think the reason for that is, when we move to larger companies in our survey, we're starting to pick up more business respondents and those business respondents in a larger company, are going to have a little bit more distance from the technology team. So you're probably getting some business respondents that kind of don't know if the company follows a formal framework or not. And I think that that's
some insight into the need to make sure that everyone is on the same page. And that these discussions really do include everyone in the organization. It's not just the cybersecurity team driving these things. And then you've got people in a
business unit, kind of wondering why they have to do the things that they have to do. And we can see when we ask which individuals at your company are involved in risk discussions, we do see the CEO pretty near the top, which I think is encouraging because a lot of this is around decision making. And so it's ultimately about the success and the health of the business. But after the CEO, we do see a little bit more of a drop in other business executives or other business departments. And so I think we're going to need to see them get a little bit more involved. Because the other thing that you
alluded to is that these risk discussions really begin to reach into every part of the organization. It's not just the technology stuff. And I think that that leads into the process side of the equation. The second big pillar that we look at was cybersecurity. And that is that, you know, as as cybersecurity
processes start getting built out and implemented, they're going to impact business decisions in a lot of other areas. So you can imagine something like social media behavior, that could lead to social engineering that could lead to a larger breach. That's not really technology that the company owns. But the cybersecurity team is probably going to have some guidance around the type of behavior that you should have on social media. Or you could look at like employee exit procedures, which is typically an HR function. But
especially in this era of remote work, there's a little bit less oversight when somebody leaves the company, and so is are the assets getting returned correctly, is access getting set off correctly, there's a whole checklist of things that have to happen. And the cybersecurity team can kind of provide guidance in those things. And ultimately, it will be the HR function that's implementing that employee exit procedure. So cybersecurity, and the processes that get built kind of in line with a risk management discussion are going to start driving a lot of decisions around the organization. Yeah, and as we've been talking about, for years now, the the increasing trend of line of business, business folks within an organization, having their own tech budget and making tech decisions, and oftentimes not consulting with the IT department necessarily, that is something that needs to have a process around it. When it comes to cybersecurity, you know, there may be people that are in, you know, in the VP of Marketing, that's deciding a great application for his department would help them with, you know, run campaigns better, yada, yada, yada, all the great things for business, but gives no consideration whether or not that application is secure, where it's going to reside, and how it's going to connect to other things, and what all the implications are for that, who has user access to it, etc. And those are the types of things
when we talk about, you know, process have to be ironed out ahead of time, so that they don't go awry. Yeah, and it really just drives a lot more collaboration, right, it makes sure that if that business unit, that head of marketing, is ultimately the decision maker around procuring a new application, they're not doing that in a vacuum, they're making sure that they're involving the technology team for integration, or the cybersecurity team for security, to make sure that everything's going to fit together and work together and be secure together. So I think there is a lot more collaboration happening, I don't think that everything is happening in a silo nearly as much anymore. And that's a good thing.
It's funny how so much of this comes back to having good durable, soft skills within your organization, because a lot of this comes down to basic good communication within an organization and good collaboration across departments, which I think every company could say they could do a little bit better. And with cybersecurity, it's so so critical that people get on the ball with that. Yeah, yeah. The last thing that I'll say about process that kind of brings this whole strategic part full circle is, a lot of these processes would fall under the umbrella of zero trust. And there aren't as many companies that kind of recognize or are aware that they are trying to implement a zero trust framework across all of their cybersecurity. But there are a lot of companies that are implementing individual practices that would be labeled as zero trust. And what a lot of
companies are finding is that as they're going down this zero trust pathway, and trying to implement a lot more controls, rather than just trusting a user access or trusting data that's coming from somewhere, all of that gets a little bit more expensive. And as things are getting more expensive, then to your point, there has to be good risk analysis on that to understand the right level of investment. So these two things, I think, go really hand in hand. They do. They do. So you mentioned skills. And that leads into the next area, which I think for me starts with my favorite data point from the study. For years, we've asked people what's the biggest
challenge that you encounter when you're trying to implement cybersecurity. And the biggest challenge has been that there's this belief in the company that cybersecurity is quote unquote, good enough. Without really knowing what that means. It probably means Hey, we haven't been breached in a while or I don't feel like we have to spend any more on cybersecurity and there's not like a lot of hard data there. And that's still a pretty prominent reason. It's number two on the list, but
there's a new number one. The new number one challenge to implementing cybersecurity is the level of skill across the organization. And I'm sure most people are thinking primarily about their technical team when they're answering that question, but I do think it also applies to business unit individuals as well. Well, and just the level of awareness that they have to have for cybersecurity. So pretty interesting to see skill gaps jumped to the top there. That's obviously been something
that we've been watching for a long time now. And I think there are going to be major implications around how companies start building out their pipeline of cybersecurity talent, so that they can have resilience in their skills moving forward. Yeah, I noticed that as well. And I think that's, you know,
partly, you know, part of the reason that the skills are becoming so much more important is, the complexity of environments, obviously, is so much more important. And the technologies that we use are more complex, but also the types of the types of attacks are growing much more complicated as well. So it becomes a situation where not only do the technology people at your company, the it, folks, the cybersecurity experts have to be on the top of their game. But as you said, the users themselves your business people, your regular staff, they all have to have at least some level of, of knowledge and understanding that helps prevent a potential potential security situation as well. So it's kind of like the skills thing that has to umbrella, the entire organization, at some level, you want your security people in the on the tech team to be the best of the best, and then you need to have everybody else not be completely at ground zero level of skill. So, you know, I
thought that was particularly interesting, I still think you might go to a lot of smaller companies and find out that for them good enough is good enough. And unfortunately, there's probably the most vulnerable if a breach and happens to them, because they don't have the financial resources that a larger company has to whether that. But I think this speaks highly to everybody who's out there today, potentially looking at a career in cybersecurity, that, you know, this is a hot area in demand. We talk a lot about skills based hiring at CompTIA. Now, and clearly, if you've got acumen in the cybersecurity area, and they have the openness to training that goes along with getting better at it, you're going to be a good candidate for a potential job. Yeah,
yeah, I think the other thing that you might see at small businesses is a continued trend towards relatively senior or relatively more experienced cybersecurity professionals. So you know, historically cybersecurity professionals have come from an infrastructure team. And as they've been working on an infrastructure team, they eventually just kind of specialize in cybersecurity, and they become the cybersecurity person. And they've got quite a bit of
experience with infrastructure with institutional knowledge and all those types of things. And I think that that's kind of carried over into hiring practices, we've typically seen companies looking for cybersecurity professionals in like the five to 10 year experience range. And that makes sense, because it's a little bit more of an advanced topic. But
obviously, you're going to run out of those people at some point. So I think what we're seeing this year is companies starting to think about how do I build the pipeline. And that involves not only opening the doors to a wider range of candidates, and looking for college hires, or maybe non college degree individuals that can prove their skills through certifications or some other method. But it also means for those companies that they kind of have to build that role, they have to build a junior role on the team and build a pathway for career advancement. And those experienced cybersecurity
professionals, I think can help with this. But it's a little bit different from the old model of just kind of graduating people from infrastructure into cybersecurity. Yeah, that'll be interesting to see, we also didn't mention, you know, the use of third parties, you know, you know, outsourcing so some of these activities to channel company, you know, an MSP or, or another type of solution provider. And as you
see in your study, there are companies, plenty of them that do use third parties for some or all of their cybersecurity needs. And most of these companies that they outsource to, if they're using them for their general technology needs should at least expect that those providers have a level of cybersecurity expertise as well, because everything kind of requires a little bit of a blanket around it. When it comes to cybersecurity whether or not whether it's not the actual discipline that you're supposed to be focusing on right there.
So I think it's important for companies to be vetting those third parties in terms of skills just as they weren't potential candidates within the organization or potential new hires that they might be looking to go after. Yeah, I think there's those two sides of using third parties. You could be using a third party for a very specific piece of your cybersecurity tactics right and say, I need you to cover my Cloud security are my data security or whatever it might be, you know, maybe in some cases, you know, that third party is the virtual CIO, and they have to become the virtual CISO as well. But you know, at that, at that tactical level, I think there's a lot of specificity around what companies are looking for. And then the other way of thinking about third parties is, as you're thinking about your overall cybersecurity posture, and all of the elements that contribute to cybersecurity, you need to be thinking about things like your cloud providers, or anyone that's providing new technology services, even if it's not around cybersecurity, like you said, you kind of gotta be asking those questions and making sure that from a, from an organizational cybersecurity standpoint, you know, all the answers to all the questions, and some of these third parties might not be directly involved in tactics, but they're still going to be part of that overall fabric.
Yeah, you need to vet them. I mean, look at what just happened to the casinos in Vegas, you know, MGM and Caesars both with their ransomware attacks. One of the one of the casinos, I believe that the vulnerability was the they had an outside firm, it was running their helpdesk or doing something. And
social engineering by the malicious group was the way to get in. And I'm sure that MGM would love to have vetted, you know, and understood that there might have been a weak link in the you in that provider that they outsource to granted, that could have happened to an internal person as well. But that's just an example of having to do so much due diligence, it's not an easy task to do. And it's got to be something that you have to do on a on a perpetual basis, with the providers that you work for just as that you use just as much as your internal employees. It's tough job.
Yeah, it's a lot to think about. You know, like we've been talking about the amount of things you have to think about here, have really just skyrocketed over the past few years. And I think that's one of the the big challenges for companies is the complexity of all of this and trying to make sure that every single one of your bases is covered. So the final area, then, is the products. And we've said I think before on this podcast, as we've mentioned in our reports before, this is kind of turning the world on its head because I think for a long time, this was where people started with cybersecurity was okay, let's just get the products in here. Let's get any firewall and the antivirus and set it up. And
that's our cybersecurity posture. And now product is kind of the last thing that gets thought about after you've taken this top down approach to thinking through your strategy and getting the right skills in place. One thing that makes it particularly challenging for this year's report, having product B the last thing is this is where we're talking a lot about artificial intelligence. And of course, everyone wants to
talk about artificial intelligence for so we often have to, we're flipping things around a lot when we're talking with people on the outside. But artificial intelligence is definitely the main thing influencing the product set with cybersecurity. That's kind of influencing everything in technology these days. And there are definitely a lot of companies that have been using AI already. And they see generative AI and some of these newer tools like MLMs, being just a step forward in their journey with AI. And then there are other companies that really haven't done much with it, and all the attention is causing them to look at it more. And
there are a lot of different areas that people imagine AI could be helpful with cybersecurity in the future, from monitoring network behavior to analyzing user patterns and looking for, you know, malicious actors that are trying to get in. So there's a lot of different possibilities out there. But there's definitely some prerequisites that come to using AI successfully in your cybersecurity approach.
Yeah, AI is going to be interesting in this in this arena, for sure. You can see some of the obvious areas. I mean, one of the things that the the respondents said they look for when they look for a third party is somebody who understands the threat landscape and can do that kind of preemptive type of monitoring. And you can see AI being applicable in that circumstance, certainly to fill some skills gaps with routine tasks, network monitoring, and that sort of thing. Although, although that makes me think about when you mentioned earlier just a bit ago that people need to be thinking about filling the pipelines with junior positions. And I'm wondering if AI is the junior position now it fills those tasks. And so, you know, the hiring just jumps up to somebody
it at a more mid tier level, because AI can handle some of the entry level job but that I think that's something that everyone's kind of turning over in their head with, with all technology roles right now is where a AI is going to fit in there. But I do think we're at a very we're really at the beginning in terms of weather where it's going to be used for a lot of for a lot of companies. I think there's a lot of potential though a lot of potential. Yeah, yeah. And I think all of the same caveats with AI apply in cyberspace. Security that, you know, it relies on data. So
your data has to be good if you're gonna feed it in and train the systems. It relies on probabilities. And so those outputs aren't always going to be perfect. And you've got to have, you know, guardrails in place and Plan B's and oversight, and whatever it is to make sure that some of those false positives get caught in some way. And I think one sort of unique thing to to cybersecurity, or at least one thing that's definitely coming out in cybersecurity, in this report is, AI is probably not going to be its own product, right? You know, the cybersecurity toolbox is huge. We've got the firewalls in the anti virus that I mentioned before. And now we've got DLP and Iam and sim and a million other things that people have started using, and we see a lot of growing momentum over the past few years. And AI isn't
going to be I think, a new line item on that list. It's going to be a feature of every single one of those tools. And so I think that, while AI will help a ton with automation, and it'll handle a lot of routine tasks. Right now, there's so much expertise needed across that tool set, I think what we're going to see is that all of that expertise needs to add AI to the skill set, so that they can continue using those things. And then companies are going to find increased productivity and efficiency as they're directing their skilled professionals to use AI to solve some of their problems.
Yeah, I think I think at least initially, I think it's going to open up a lot of opportunities for people to be guiding AI, you know, and so there may be new job roles in there, or there going to be additional responsibilities for people in existing cybersecurity roles that dovetail with AI. So I see it as kind of a it's gonna keep people busy versus versus the opposite. So that'll be very interesting to see as we go forward. Yeah, yeah, for sure. So I think that's a quick overview. There's more detail in the report that's available at copy as website, you can find a link in the show notes. And this is the first of
two episodes that we're going to have talking about cybersecurity. October, of course, is Cybersecurity Awareness Month. So we want to talk about it as much as possible. And next time, we're going to have a guest that pays attention to this stuff in the real world, rather than just gathering data like we do. And so they can add a lot of flavor
to the discussion and some of the data that we've collected. Terrific. Yeah, I'm looking forward to it be good to get somebody who's got some skin in the game and seeing what's going on out there. So tune in next time. Yeah, I think anyone that like has a steady diet of cybersecurity, you know, media or content in their life will probably recognize this person. So stay tuned and join us back
in a couple of weeks. Little cliffhanger there. That's right. So, all right. Well, I think that's it for today. Thanks as always to our producer Andrew McMillan and Carolyn. I'll see you next time with our very special guests. All righty.