Cyber-talent shortage can put healthcare organizations at risk
In cybersecurity, good help is hard to find, and the global cyber-talent shortage is making it harder for organizations to keep up with the cyber-basics, never mind the enormous task of assessing the security implications of digital transformation.
CyberSeek, a project funded by the National Initiative for Cybersecurity Education, reported last year that the United States faces a shortfall of almost 314,000 cybersecurity professionals. ISC2 puts the global gap at 4 million. The talent shortage is more than an inconvenience: a recent Center for Strategic and International Studies survey of IT decision-makers across eight countries found that 71 percent believed this talent gap causes direct and measurable damage to their organizations.
Healthcare organizations already face an especially high level of exposure to “insider threat” and ransomware attacks. And when you factor in the emerging threat from IoT devices and the fact that digital transformation means giving more external partners and vendors access to your IT systems and data stores, you’ve got a perfect cyber-storm brewing on the horizon. The attack surface is growing bigger every day, and there aren’t enough skilled professionals to defend it.
What’s a health care CISO to do? Here are a few ideas, for starters:
- Accelerate detection of compromise. When organizations lack the tools and the talent to quickly detect compromise, cybercriminals can lurk in systems for extended periods, quietly doing great damage. Verizon’s 2019 Data Breach Investigation Report (DBIR), which analyzed and deconstructed over 40,000 security incidents of which 2,000+ were data breaches, showed that most breaches succeeded within seconds to minutes, yet 56 percent of breaches took “months or longer” to discover. Optimized threat intel, enhanced endpoint detection tools, and autonomous threat hunting technologies can accelerate detection without taxing security staff.
- Acknowledge that cyber “blind spots” thrive in under-skilled organizations. Across all industries, 34 percent of incidents and breaches examined in the Verizon 2019 DBIR were traced back to insiders – employees and third parties with access to corporate systems and data who did bad things, intentionally or through creative ignorance. In healthcare, that number was 59 percent – the only industry where inside bad actors were proven to be more damaging than outside ones. Combatting the insider threat means thoroughly reviewing business processes that can lead to data leakage (a long and manually intensive process) and having the skills to develop and deploy controls that protect data without impeding the flow of business. In lean, overburdened security programs, third-party risk assessments are often limited to questionnaires, and comprehensive site visits of critical suppliers become a rarity.
- Revisit your incident readiness plan, often. Maintaining a robust, up-to-date incident response (IR) plan is key to resiliency. But too many security organizations de-prioritize the care and feeding of their plans, favoring other activities that appear more urgent. Assessing over a hundred real-world incident plans through plan reviews and breach simulation exercises from 2016 to 2018 for its recent Incident Preparedness and Response Report, Verizon found that only 48 percent of plans were “logically constructed” (i.e., adhering to established IR best practices,) and that only 57 percent of IR Plans required periodic rehearsals with IR stakeholders. When IR becomes a “we’ll get to it” initiative, it won’t be gotten to until a 3 a.m. crisis strikes, and by then the plan won’t be nearly as effective as it could have been.
Until workforce development initiatives begin to close the cyber-skills gap, CISOs must realize that they can’t do everything. Instead, they must take a risk-based approach to cybersecurity and focus on what is more likely to happen rather than what’s simply possible. And since the talent shortage makes it harder to gather the data needed to implement a risk-based program, you can find the Verizon reports cited in this article above for free at https://enterprise.verizon.com/products/security/.
About the Author:
David Grady (CISM, CRISC) is a Security Evangelist for Verizon, where he speaks on security topics at conferences across the globe and helps customers refine and achieve their cybersecurity objectives. David joined Verizon in 2015 from State Street Corporation, where as a Vice President, he helped design and implement a continuous cybersecurity monitoring program. David was also a Senior Vice President for Security & Risk at the Royal Bank of Scotland from 2005 to 2010.