The so-called ‘great resignation’ due to wage stagnation, long-lasting job dissatisfaction, and health concerns over the COVID-19 pandemic may include those in cybersecurity functions in IT departments.
But if it’s happening there, the problem could create more than a shortage of bodies, according to a panel at Thursday’s IT World Canada MAPLESEC Satellite online series.
The bigger problem, said Cat Coode, founder of the Canadian-based Binary Tattoo data privacy consultancy, is organizations will lose their cybersecurity knowledge base with every person that departs for whatever reason. Staffers, who, for example, understand the informal patch management procedure may not pass on that knowledge.
“I do a lot of reviews of a lot of [cybersecurity and privacy] policies,” she said, “and I will tell you they often sit unread, or they’re incomplete, or the policy says ‘we’ll do something’ [in this circumstance], but there’s no matching procedure”… “so if someone leaves, the patch management program goes.” Even if IT staff don’t leave it’s still vital to document cybersecurity procedures, she said.
Panellist Brennen Schmidt, an author and cybersecurity educator, said CISOs should think of the ‘great resignation’ as less of cybersecurity problem and more of an opportunity to get rid of silos in their organization. Create a map identifying the touchpoints cybersecurity has across the organization, he advised. See personnel change as an opportunity to bolster cybersecurity collaboration across the enterprise, while at the same time developing resiliency to cyberattacks.
Jim Love, IT World Canada’s chief information officer, said staffing moves represent a change in the way we work. “I know of organizations where every month a key person leaves,” he said. “We have to understand that. It will be a huge challenge for some organizations.”
(See the entire panel discussion in the video below)
The panel also touched on a number of other topics:
What could have been done to avoid the cyber attacks seen last year?
Love: Follow seven basic cybersecurity controls: Awareness training; teach users to create better passwords; use multifactor authentication (MFA) to protect logins; know your corporate data, hardware, software assets so they can be protected; patch software; and have an incident response plan. “We don’t have to be vicitms,” he stressed.
Coode: Create a culture where your staff are free to admit cyber-related mistakes. Management must recognize mistakes happen, she said.
What can be done about supply chain attacks?
Coode: Many of an organization’s partners/vendors have our data — they access it, analyze it, copy it to their systems. It’s not really an issue of ‘supply chain management,’ as it is an issue of vendor management. So when hiring a development firm to write code for an app that will access your data, make sure they’re vetted, make sure their contract includes obligations to protect your data and/or to limit access to it.
How can CISOs/ IT security leaders create better incident response plans?
Love: They have to apply the same techniques hackers do: “Painstaking planning of every detail.” Talk to staff about preparing for an incident, practice the response plan. Imagine what you’re up against and work the problem backwards.
Schmidt: Management should get to know the people responsible for incident response before a serious incident.
Coode: Having an incident response policy is not the same as having a detailed plan.
What will 2022 look like?
Love: “Like 2021, only on steroids” – Ransomware, supply chain attacks, compromising open source applications, and attackers getting around multifactor authentication.
Schmidt: “We’re going to have to start exercising our imagination” to protect data. He predicts more board members and senior managers will be more strategic in corporate cyber spending. They’ll also be more willing to bring IT people to meetings to begin a corporate dialogue about how to thwart cyberattacks, he said.
Should you pay a ransom to get data back?
Talk to your lawyer, Schmidt said. Coode and Love said having good data backups lowers the necessity to pay.
Moderator Dave Masson, director of enterprise security for DarkTrace, added this recollection: “A business in Ontario called me up crying because he’d been hit by ransomware and he paid, and he asked, ‘Can you help me?’ And I said no, because it’s already happened. Two weeks later he rang me up and said, ‘They’ve done it again,’ and I asked ‘Did you pay?’ and he said ‘Yes, can you help me?'” A week later he called me again in tears and said, ‘They’ve put cryptojacking malware on every device in the company!”. And I said ‘Of course they have. They know you don’t have any money left.”
A replay of the panel discussion is available on YouTube: