Stephen Cobb, writing in December for WeLiveSecurity, said there is currently a global shortage of one million cyber security workers. Cobb, who does regular surveys on this subject, said the US alone needs something like 200,000 more people skilled in cyber security. These are not just people that IT managers fantasize about hiring. They are funded positions that remain empty because there aren’t enough qualified applicants to fill them. Cobb suggests the shortage of qualified cyber security workers constitutes a crisis that puts organizations’ proprietary data and intellectual property at risk.
With a 200,000 applicant shortage, it is no wonder that many businesses find it takes a full six months to fill a cyber security job.
It is just a coincidence that’s about the same amount of time — 170 days — to learn your network has been breached. In other words, if you have no cyber security professionals on staff who are capable of recognizing a breach, it could take you a year to deal with the problem (i.e., six months to learn you have suffered a breach and six months to hire somebody to deal with it).
My advice, which probably doesn’t surprise you, is not to wait six months to fill your security position. Take some of your best IT staff and train them as a cyber security first-response team.
According to The 2016 Cost of Data Breach Study: Global Analysis, the presence of an incident response team reduces the average per-record cost of a data breach by $16, from $158 to $142. This beats every other cost mitigator, including “extensive use of encryption,” which only reduces the cost by $13. In other words, you can reduce the cost of the data breach by 10% if you field an incident response team. The same report says you have a 25% chance of incurring such a breach. That is probably a conservative estimate, since the report was published last year and the cyber crime is a growth industry.
If the average data breach costs $4 million (as suggested in the report), budget $1 million for data breaches (i.e., $4 million multiplied by your 25% chance of incurring one). That means having an incident response team reduces that budget item by $100,000 (i.e., 10% of $1 million). That means there is $100,000 to be gained (or at least saved) by fielding an incident response team. The question is do you organize the team now and pick up your $100,000, or do you try to hire someone, leaving your network unprotected for six months?
Field an incident response team. Consider the Logical Operations CyberSec First Responder (CFR) program. The CyberSec First Responder: Threat Detection and Response course will teach your first responder team to analyze threats, design secure computing and network environments, proactively defend networks, and respond/investigate cybersecurity incidents. The training takes five days. That means you can substantially improve your security in a week rather than waiting six months to hire somebody who’s qualified to do it for you.