The use of the cloud is almost mainstream for companies these days. Hardly any other innovation changed the enterprise technology landscape as much as the cloud. Almost every next-generation solution that offers digital business opportunities today is based on a cloud platform.
Organizations are increasingly relying on the cloud as part of their growth strategies and associated business requirements – but security is often neglected. It is undisputed that the cloud is a boon for the digital age. The technology offers almost unlimited scalability, reliability, disaster recovery, redundancy, and integrated security with native cloud services – and this is also highly cost-efficient.
In addition, the decision-makers in companies are particularly impressed by the flexibility, as the cloud can be easily adapted to the business and further developed at any time.
However, incidents such as the Capital One data hack show the vulnerable dark side of the technology: In 2019, 106 million customer data hosted in an AWS cloud was stolen – and a wave of lawsuits ensued. Such situations highlight the challenges and difficulties of data security and protection, interoperability, regulatory compliance, and constraints that CISOs must adhere to.
The topic is moving up on the agendas of governments around the world – such as the General Data Protection Regulation (GDPR) in Germany and the EU – and leaves companies little room for weaknesses.
The list of challenges for CISOs does not end there. Other obstacles include:
- Lack of multi-cloud visibility and control over a single dashboard window for security and data protection issues and compliance violations,
- Challenges in integrating native public cloud services, and
- There are problems in adopting multi-cloud services with a single cloud architecture across cloud platforms, authentication frameworks, security monitoring, event correlation, etc.
Pay Attention To The (Skills) Gap.
There is a common thread that runs through all of these challenges – the appropriate skills. The market for qualified cybersecurity experts is highly competitive, and the demand significantly exceeds the low supply. This is all the more true for cybersecurity experts, whose expertise lies in the changing security landscape that goes hand in hand with cloud technologies.
A study by ESG-ISSA showed that 53 percent of companies only had a “problematic” level of cybersecurity knowledge in 2018/2019 – this proportion has grown steadily over the past four years. The same study also shows that lack of cybersecurity literacy affects 74 percent of organizations significantly or to some extent. Especially in cloud network and development, DevOps, and container management, there is a lack of specialist staff with relevant cloud skills and the knowledge to manage converged infrastructures that merge traditional and cloud networks into a coherent networked environment.
This loophole costs companies a high price. The experts who are already available for cloud security are struggling with an increased workload due to the shortage of skilled workers. This, in turn, increases the likelihood of human error, a discrepancy between tasks and knowledge, or even burnout. CISOs often need to recruit and train young people to fill the talent gap rather than hiring seasoned cybersecurity professionals.
A workload that is too high also means that employees do not have enough time to learn or use the security technologies available to them thoroughly – and thus to exploit their full potential. From a strategic point of view, cybersecurity is limited to the company’s requirements and processes—this isolation of cybersecurity results in isolated security protocols – for both the cloud and the physical networks.
Attract Skilled Workers
Organizations should face the battle for talent with a multi-pronged strategy that works in the short, medium, and long term. Cybersecurity – especially in connection with relatively new technologies such as the cloud – focuses on specialized niche talents with a DevOps background. Some of these talents can be found with cloud specialists and managed service providers.
Cooperations with such companies give companies access to coveted specialist knowledge – from which their employees also benefit. In collaboration with the external specialists, they learn the relevant skills with sufficient time and guidance without endangering the security situation or impairing productivity. Throughout the process, an iterative DevSecOps approach ensures that bugs are identified and corrected as soon as they occur. Security is thus guaranteed throughout the entire process and not just at the endpoints.
In the medium term, however, the training of internal talents with complementary skills is irreplaceable. This approach also has numerous advantages: Existing employees receive institutional knowledge from external specialists and pass this on to other colleagues – compared to hiring a new expert, this approach saves time and money. It also saves productivity that could be lost when training a new employee via internal systems and processes.
The key to the strategy is to motivate employees to leave their comfort zones and develop a culture of continuous learning within the workforce that teaches employees the benefits of upgrading and helps them work on their strengths. This enables them to rethink their role and growth in the company to learn and deepen new skills.
In the long term, the industry must work with educational institutions to keep their cybersecurity training up to date with the ever-changing threat perception. The cybersecurity unemployment rate has been zero for the past eight years . It is expected that there will be around 3.5 million vacancies in 2021 due to the shortage of skilled workers . Of all IT positions, cybersecurity engineers were the highest-paid and most recruited professionals in 2019. These prospects are sure to attract the next generation of college graduates to a career in cybersecurity.