Risky Business: Dealing with cybersecurity’s talent shortage

Information security is one of the fastest growing occupations in the U.S. today, projected to grow 18 percent by 2024 (source: BLS.gov). Not surprisingly, there is a worldwide shortage of experienced cybersecurity professionals. At least one widely-cited report places the figure at over a million unfilled positions, while also noting that the gap won’t be solved simply by stepping up the number of cybersecurity college graduates. It’s a complex field that takes years to obtain the kind of comprehensive knowledge needed to prevent ever-evolving cybercrime attempts. So where can this kind of talent be found today—in abundant enough numbers to stay ahead of cybercriminals?

Coveted credentials

Rather than trying to build and manage security internally, many organizations are entrusting their data to cloud providers. A cloud provider is a company that offers some component of cloud computing – typically Infrastructure as a Service (IaaS), Software as a Service (SaaS) or Platform as a Service (PaaS) – to other businesses or individuals. To be competitive, cloud providers must have solutions for rapid deployment, seemingly infinite scalability and feature-rich agility.

While most public cloud providers, such as Amazon Web Services (AWS) and Azure, focus on foundational services, they rely on partners (managed cloud service providers) to serve the needs of customers who demand industry-specific solutions that meet rigorous regulatory, security and privacy standards. Healthcare and life sciences are just two examples. Cloud managed service providers are staffed with senior professionals with a wealth of knowledge, thanks to continuous immersion and training in all things related to the needs of the industry they serve, such as security, privacy, regulatory compliance and specific workloads. The level of professional expertise can span from manager to director to C-Suite executives, but almost all members of the managed cloud service provider’s security team will have a decade or more of experience in IT security and privacy.

Crucial considerations

Even as an organization weighs the benefits of the cloud for their own workloads, understanding its security risks and mitigation plans is crucial. Applying strategies used successfully from a legacy system will not necessarily transfer to a cloud strategy. The healthcare industry in particular has an acute talent shortage in security, and working with patient health data in a public cloud requires a very specific, ever-evolving knowledge set; it’s not something that can easily be picked up from a lunch time webinar. At a minimum, it calls for deep experience in complying with HIPAA standards for security at the physical, technical and administrative levels.

With the advent of public clouds, expertise is required in using tools developed specifically for managing security in these environments. AWS, for example, offers DIY tools like CloudTrail for log monitoring—just one of the security tasks mandated by HIPAA. Obviously, these tools take time to learn, use and automate, and then HIPAA itself is a constant endeavor. Many organizations would rather use their IT resources for innovation, not continuous security.

Silver lining

The good news is organizations don’t need an internal team of security experts to breach-proof their IT assets. A certified AWS or Azure cloud partner can step in with services that include:

• Application security
• Identity and access management
• Configuration management for operating systems, networks and firewalls
• Client-side and server-side data encryption
• Network traffic protection
• Log management
• Monitoring and alerting
• and much more.

Continuous vigilance

Hackers are always looking for vulnerabilities in an organization’s network. A cloud services partner with an exclusive focus on protecting valuable data will deny them any opportunity to find one. The value of this partner’s constant monitoring of the entire network infrastructure for any breach attempt cannot be overstated. Judging by the frequently long stretches of time between a breach and its discovery, many organizations are unable to keep up with this sort of vigilant surveillance – which includes maintaining a continuous watch over which employees enter the network and when.

As we look to the future, it becomes clear that cyberattacks will continue to diversify in methods and complexity going forward. That’s why so many organizations are hiring Chief Information Security Officers or outsourcing the role—and shifting the risk— to their cloud services partner.

About the Author
Chris Bowen is one of the U.S.’ leading experts on patient privacy and security. He manages the risks and business challenges faced by healthcare organizations, with a specific focus on cyberthreats, privacy violations, security incidents, social engineering attempts and data breaches. He holds a M.B.A. and B.S. in Economics from Arizona State University.

Originally published in the Tech Connect, Summer 2016 (pg 8).