New “born in the cloud” companies have it EASY! If I was to start a company today, it would be relatively simply (and fast) to choose business platforms, applications, and endpoints. While in reality, businesses have years of technology investments and business processes. So while companies are seeing the benefits and value of a digital workplace strategy, they risk creating a substantial functionality deficit.
Insight
-
-
ESG and the Information Systems Security Association (ISSA) just published a third annual research report titled, The Life and Times of Cybersecurity Professionals. (See the latest version here.) This year, we asked respondents to identify the most stressful aspects of a cybersecurity job/career. Here are the results:
- 40% of respondents said that one of the most stressful aspects of a cybersecurity career is keeping up with the security needs of new IT initiatives. So, the IT team is busy moving workloads to the cloud, deploying IoT devices, or writing new mobile applications, driven by new business initiatives. Unfortunately, the cybersecurity team often lacks the appropriate technical knowledge and must play catch up on understanding risks associated with changing business processes. This is a risky situation.
- 39% of respondents said that one of the most stressful aspects of a cybersecurity career is finding out about IT initiatives/projects that were started by other teams within the organization with no security oversight. Okay, take the previous scenario around keeping up with IT initiatives and throw in the element of surprise. Think about when a marketing executive announces, “We’ve decided to share sensitive customer data with a third-party that specializes in customer profiling and analysis. We started this project three months ago.” Now the CISO must figure out how to safeguard the data after the fact. Pretty darn stressful.
- 38% of respondents said that one of the most stressful aspects of a cybersecurity career is trying to get end-users to understand cybersecurity risks and change their behavior accordingly. Yes, most large organizations do security awareness training, but it’s treated as a check-box exercise only. Since people are a weak link in the security chain, most organizations don’t push cybersecurity education far enough, leading to a stressful work environment and big cybersecurity problems.
- 37% of respondents said that one of the most stressful aspects of a cybersecurity career is trying to get the business to better understand cyber-risks. I have good news and bad news here: The good news is that we are on the cusp of a new class of proactive risk management tools from vendors like Kenna Security, Rapid7, RiskLens, RiskSense, Tenable Networks, and others that can monitor and report on cyber-risk in real time. This class of technology will help CISOs and business executives make data-driven and timely risk mitigation decisions. The bad news is that too many companies still view cybersecurity as a necessary evil and really don’t care to better understand cyber-risk. Cybersecurity professionals working at this kind of organization should address job stress by simply moving on.
- 36% of respondents said that one of the most stressful aspects of a cybersecurity career is trying to keep up with the growing workload. There’s that pesky cybersecurity skills shortage again. Certainly, there are things that can be done here (technology integration, process automation, and managed services come to mind), but this is a societal issue that the public and private sector must deal with collectively.
The latest version of the ESG/ISSA research report is available for free download here. Your feedback is most welcome.
-
This week Extreme hosted customers for its second annual customer event, Extreme Connect. Reflective of its own growth, conference attendees doubled in size this year and that was evidenced by its packed keynotes and technology breakouts. The theme for this year’s event was #FutureForward.
-
…and going back to my Veeam friends to attend VeeamON. I expect to see and talk to the Veeam leadership and product teams about the roadmap and new features they have in store. I will also spend time with end-users to discuss their experience with the solution. It is great to get first-hand feedback. I am very interested in a couple of areas in particular: data compliance and recovery testing…or actual experience dealing with an actual disaster. (more…) -
Cybersecurity professionals are paranoid by nature. That’s not a bad thing, it’s a job requirement. We want our cybersecurity team to “think like the enemy” to discover and remediate vulnerabilities as rapidly as they possibly can. Aside from this cynicism, my cybersecurity friends also take great pride in what they do. Like Elliot Alderson from the TV series “Mr. Robot,” many cybersecurity professionals want to save the world (from hackers and the like).
With this profile in mind, some of the data from Enterprise Strategy Group and ISSA fits with this professional mistrust. For example, 91% of cybersecurity professionals surveyed believe that most organizations (other than their own) are extremely vulnerable or somewhat vulnerable to a significant cyber-attack or data breach (i.e., one that disrupts business processes or leads to the theft of sensitive data).
This question has been included in the survey for the past 3 years and the results haven’t changed a whit and is one indicator of just how bad things are.
As part of this year’s project, survey respondents were also asked about the balance of power between cyber-adversaries and cyber-defenders. The results were equally depressing – 59% of respondents believe that, in general, cyber-adversaries have a big advantage over cyber-defenders, while 34% claim that cyber-adversaries have a marginal advantage over cyber-defenders.
Why the imbalance? Cyber-adversaries are well organized and cooperative. There are strong divisions of labor and even customer services between coders and criminals. Cyber-adversaries have access to hacking tools written by government intelligence agencies with advanced skills. Finally, hackers can afford to be persistent and patient. It’s okay for them to experiment, fail, re-group, and try again. Sadly, a skilled adversary can find their way into networks with a bit of sweat equity.
For those of us who live in the world of cybersecurity, these results aren’t surprising, but they should be alarming to everyone – business people, legislators, consumers, and citizens. The battlefield is heavily tilted toward black hats, with cybersecurity professionals constantly fighting uphill.
Pure and simple, the ongoing cyberwar isn’t a fair fight. We as a society need to accept this reality and put more effort and resources into balancing the playing field. Technology hyperbole and arm waving won’t cut it.
-
I attended the Big 5G event in Denver Colorado last week. The show was well attended, with every session I went to, including keynotes, having standing room only. That is probably a good indicator of the level of interest in and even to a certain degree the level of hype surrounding 5G.The keynotes had representatives from major North American CSPs, including ATT, C-Spire, Sprint, T-Mobile, and Verizon (alphabetically). While there was plenty of “we were first in this 5G category” claims from two of these vendors and commentary about other countries’ deployments that would lead you to believe this was a race, one of the speakers echoed a comment from a recent DARPA show that probably sums up the transition to 5G best, in that 5G is an evolution, not a race. Indeed, comments from the other major vendors stated that they did not want to release a 5G solution until they are ready, which they assured us they will be soon. In fact, CTIA stated there will be 92 5G deployments in 2019. Across all of IT, we have seen technology adoption accelerating, and 5G is no different, so expect the 5G adoption rate to be the fastest yet. ATT cited an example that a new deployment would typically be 18 mos, but for their first roll out, it was only six months.
Indeed, when most think of 5G rollouts, radio antennas come to mind, but there is a lot required to prepare for and extract the full value of 5G. Nicki Palmer from Verizon reminded the crowd that the first key technology enabler for 5G is more fiber, for the fronthaul, backhaul etc., to accommodate the dramatic increase in data across the 5G network. Next was the more obvious spectrum required (mid-band and mm wavelength), which in many parts of the world are still ongoing improvements. After that the focus turns to the core and the requirement for software-defined networking to enable a far more dynamic environment. And lastly was the need for multi-access edge compute. This last one is particularly important for real-time or near real-time applications. It also opens up the 5G ecosystem players.
The 5G ecosystem is rapidly growing as well and the Big 5G Event show floor was an indicator of this. Not only were some of the usual networking suspects like Adva, Cisco, Ericsson, Huawei, and Samsung present, but the exhibit hall also contained companies like Palo Alto Networks and Fortinet to talk about security; Guavas, NetScout, Sandvine, and SevOne for network management and service assurance; Pure Storage and Western Digital were talking about storage at the edge; Apis and Global Knowledge both highlighting training and education services, among many others including: Affirmed, F5, Intel, Oracle, and Pluribus (SDN).
Clearly, though the pressing thought on everyone’s mind was “How are the telcos going to monetize 5G?” the resounding answer, at least initially, will be with a focus on the enterprise. As I sat through the track for potential use cases, it was clear that for the near future, 5G services will be more focused on business applications. Looking at 4G, most would agree its killer app was video. Enabling consumers to stream video was huge. OTT companies like Netflix and YouTube have benefited from it tremendously and CSPs are actively acquiring content to capture that revenue stream. Many of the speakers at this event (and at other shows I have attended this spring) speculate that Augmented Reality or AR will be a driver for 5G. Actually, it was referred to as Mobile XR (XR= AR+VR) and its use cases spanned from the obvious gaming and entertainment industry, to augmented reality to aid in surgeries, accelerate problem resolution in manufacturing plants, even leveraging AR to detect allergens in products at the grocery store. Of course, there are many other uses like autonomous driving, last mile point to point bandwidth, modular robotic assembly lines, and even enabling untethered cameras for sporting events. Clearly 5G will also benefit consumers, but users shouldn’t think of these initial rollouts as the final product, but more like test beds to learn from and improve the technology and coverage. The estimates at the event indicated widespread 5G subscriptions (about 1 billion) by 2023.
At this early stage of the 5G Evolution, the best advice I can provide to enterprises and consumers is to get educated on 5G technology, work with your appropriate telecommunications providers to understand their plans for rolling out the technology in your area, and try to learn from the early adopters to accelerate your own deployment. There is no doubt 5G is coming, and its speed of adoption may eclipse 4G given the interest and hype surrounding it. Stay tuned for more information on enterprise use cases and the build-out of the ecosystem. Also check out my video blog on this topic below.
-
Every technology event or conference offers insight into the future of IT. Few, however, rival the breadth of digital business impact or the passion among the attendees that Red Hat displayed this week. After only a few hours on the floor and talking with attendees, I am reassured not only that IBM is making a wise move with the acquisition, but also that Red Hat is incredibly well positioned to address the challenges of modern IT. -
I’ve been writing about the cybersecurity skills shortage for 7 years and have become the “Chicken Little” of this topic. Now, we’ve all read about the number of cybersecurity job openings out there, but what is the impact of the skills shortage on cybersecurity professionals who are gainfully employed?
This is one of the focus areas of the third annual Enterprise Strategy Group/ISSA research report titled, The Life and Times of Cybersecurity Professionals 2018. To evaluate this question, 267 cybersecurity professionals and ISSA members were asked whether the cybersecurity skills shortage has had an impact on the organization they work at. Nearly three-quarters (74%) of respondents say that the cybersecurity skills shortage has impacted their organizations significantly or somewhat.
This percentage has crept up annually. Last year, 70% of respondents said that the cybersecurity skills shortage had impacted their organization, while 2 years ago, it was 69%.
Does this indicate that the cybersecurity skills shortage is getting worse? It’s hard to say (based upon ESG/ISSA research alone) due to the changing research panel pool and the margin of error for the sample size. What’s absolutely clear however is that there is no evidence to suggest that the cybersecurity skills shortage is improving whatsoever.
What are the ramifications of the cybersecurity skills shortage? We asked this question to the 74% of respondents whose organizations have felt the impact. Here are the results:
- 66% of respondents claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since organizations don’t have enough people, they simply pile more work onto those that they have. This leads to human error, misalignment of tasks to skills, and employee burnout.
- 47% of respondents claim that the cybersecurity skills shortage has resulted in an inability to fully learn or utilize some security technologies to their full potential. Let this one sink in. Organizations are buying expensive security tools but then letting them languish since they don’t have the time or resources to take advantage of them. Hmm, I wonder if Marsh & McLennan should consider this fact before developing a rating system for cybersecurity products. Note to Marsh: Product quality doesn’t matter if no one knows how to use it properly.
- 41% of respondents claim that the cybersecurity skills shortage has resulted in having to recruit and train junior employees rather than hire experienced cybersecurity professionals. This situation is the new reality so organizations must get used to it. In fact, smart CISOs will work with local universities, develop training and job rotation programs, establish mentorships, and become centers of excellence for cybersecurity career development.
- 40% of respondents claim that the cybersecurity skills shortage has resulted in limited time to work with business units to align cybersecurity with business processes. Think about this one. Organizations are expanding their use of technology as part of their business mission, yet the cybersecurity staff doesn’t have enough time to work with the business to mitigate risk or safeguard business processes. Holy cow, this should be an alarming statistic for every CEO.
It is worth noting that the cybersecurity skills shortage is about skills and not just job vacancies. So, many organizations are understaffed and lacking advanced skills in areas like cloud security, threat intelligence, security investigations and forensics, etc.
President Trump recently issued an executive order aimed at bridging the cybersecurity skills gap. Will this make a dent in the skills shortage? Nope. Any action is better than none, but the executive order is window dressing – too little and too late.
Since our lives are now controlled by bits and bytes, the cybersecurity skills shortage is an existential threat to all of us. It’s high time we addressed this issue with a true sense of urgency.
Note: The Enterprise Strategy Group/ISSA report is available for free. The data presented in the report should be beneficial for cybersecurity and IT professionals, business managers, and legislators.
-
I had the opportunity to catch up with Alex Almeida at Dell Technologies World 2019 in Las Vegas in the Data Protection booth to discuss the significant new announcements the company made at the event. Don’t miss it! (more…)
-
Look, there is no denying that Microsoft Windows has a massive footprint across the globe and has been the primary endpoint operating system that companies have relied on for decades. Heck, as much as I personally sometimes try to move over to other platforms like Mac OS or Chromebook, I find myself tied back to Microsoft Windows at some capacity. The same situation holds true for businesses as they continue to use Microsoft Windows because they have to, but the usage and interest of alternative solutions compounded with truly amazing capabilities on smartphones and tablets opens the door to create an enlightened end-user experience and improved productivity. -
Finding the right metrics to measure the effectiveness of your security programs can be challenging and subjective. While most everyone can agree on the ultimate objective of preventing breaches, there is much discussion about how to objectively measure and report on the effectiveness of everything between your first dollar invested in security and your planned security investments for the coming year.
ESG and the Information Systems Security Association (
…and going back to my Veeam friends to attend VeeamON. I expect to see and talk to the Veeam leadership and product teams about the roadmap and new features they have in store. I will also spend time with end-users to discuss their experience with the solution. It is great to get first-hand feedback. I am very interested in a couple of areas in particular: data compliance and recovery testing…or actual experience dealing with an actual disaster. 
Cybersecurity professionals are paranoid by nature. That’s not a bad thing, it’s a job requirement. We want our cybersecurity team to “think like the enemy” to discover and remediate vulnerabilities as rapidly as they possibly can. 
I attended the Big 5G event in Denver Colorado last week. The show was well attended, with every session I went to, including keynotes, having standing room only. That is probably a good indicator of the level of interest in and even to a certain degree the level of hype surrounding 5G.
Every technology event or conference offers insight into the future of IT. Few, however, rival the breadth of digital business impact or the passion among the attendees that Red Hat displayed this week. After only a few hours on the floor and talking with attendees, I am reassured not only that IBM is making a wise move with the acquisition, but also that Red Hat is incredibly well positioned to address the challenges of modern IT.
Never a dull moment in the data protection market. After last week’s announcements at Dell World, 
Look, there is no denying that Microsoft Windows has a massive footprint across the globe and has been the primary endpoint operating system that companies have relied on for decades. Heck, as much as I personally sometimes try to move over to other platforms like Mac OS or Chromebook, I find myself tied back to Microsoft Windows at some capacity. The same situation holds true for businesses as they continue to use Microsoft Windows because they have to, but the usage and interest of alternative solutions compounded with truly amazing capabilities on smartphones and tablets opens the door to create an enlightened end-user experience and improved productivity.
Finding the right metrics to measure the effectiveness of your security programs can be challenging and subjective. While most everyone can agree on the ultimate objective of preventing breaches, there is much discussion about how to objectively measure and report on the effectiveness of everything between your first dollar invested in security and your planned security investments for the coming year.