Rebuilding Modern Organizations for Security's Sake
Given that more than eight out of 10 security executives expect that the risk of cyberattacks will increase for the foreseeable future, it's no wonder that CISOs are concerned about the current state of — and future prospects for — the organizations they serve.
A recently-published (Aug. 23) report (registration required to obtain download) from Forbes Insight, sponsored by cybersecurity firm Fortinet, underscores and illuminates those concerns. All in all, this 24-page report is worth a once-over, especially for IT professionals interested or involved in cybersecurity on the job.
Those in security management (or who aspire to fill such a role as a future stage in career development) should especially take note. The population surveyed includes 209 CISOs: 39 percent from North America, 31 percent from EMEA, and 30 percent from APAC.
Seven out of 10 respondents work for organizations with 10,000 or more workers, and all respondents' parent organizations generated annual revenues at or above $1B for the preceding 12-month period (53 percent of respondents' claimed $10B or more in revenue during that period). All interviews were conducted in January and February of 2019 (see "Methodology," page 22).
Crafting and Executing Security Policy takes "Talent and Teamwork"
From my perspective, the most interesting section of this report addresses the steps that CISOs are taking, or planning to take, to boost the security skills, knowledge, and awareness of people within their organizations. This portion of the report spans pages 15 through 19, and is also carried forward in the next section of the report. Here's a relevant clipping:
Source: "Making Tough Choices" CISO Report by Fortinet and Forbes Insight
That section prescribes "actions to take" for CISOs seeking to address their security concerns and provide maximum protection and value for their organizations. As a person who's been researching and writing about security topics since the mid-1990s, with an emphasis on security training and certification, I couldn't help but glean some important nuggets for GoCertify readers from this material, including:
Better Security Training of Employees: This starts at the foundation, with security awareness training for all employees. And for security professionals, or those whose jobs include a security component, the report suggests to CIOs that they "be sure you are focusing on your people's cybersecurity knowledge."
To me, there is no better toolset available to help with this task than the many and varied cybersecurity certifications available from both vendor-specific and vendor-neutral perspectives. At last count, I surveyed more than 100 serious and reputable cybersecurity certs of one sort or another, ranging from foundational credentials like the CompTIA Security+ (which just hit the 500,000 certifications earned milestone earlier this month) into specialized areas such as forensics, penetration testing, governance and security policy formulation, and more.
Increasing Security Management Expertise: Here again, specific certifications provide excellent insight and information to those with one foot in technical cybersecurity and the other in business and organizational management. Applicable certs include CISA, CISSP, CGEIT, and CRISC, among many others.
Automate Your Resources as Much as Possible:s As with other areas in IT — most notably, DevOps — an organization's ability to anticipate responses with effective, workable automation can spell the difference between continuing, profitable operations and security breaches with attendant fines, financial losses and damage to brand and reputation.
Organizations should be working hard to roll out security automation as part of an overarching software-defined networking, virtualization and customer/client service strategy. This is where a focus on specific IT frameworks and architectural disciplines, and related training and certification programs (such as ITIL, TOGAF, PRINCE2 and so forth) offer lots of opportunities to increase security awareness, posture and capability along with lots of other useful enhancements to IT implementation, deployment, and lifecycle management.
What Does This Mean for IT Professionals?
Cybersecurity remains an evergreen subject matter for IT professionals across the entire field. There are still few technical specialties that can add as much (or more) value to a person's IT career track than a careful investment of time and energy into relevant security training and certification.
This goes double for those interested in ascending to the security management track. See these Google Searches for the raft of cybersecurity and certification-related stories I've written for GoCertify.com and Business News Daily for all kinds of interesting training and certification possibilities to help increase your career's cybersecurity profile.