Information security is no longer just an IT issue. In fact, companies are finding themselves having to protect not only their own digital boundaries, but those of their suppliers and customers because of the complexity of the modern digital supply chains. Keeping on top of the constantly evolving threat landscape has therefore never been more important. Although investing in the right tech and infrastructure is undoubtedly crucial, the human element of the process – specifically, hiring the right talent to tackle the latest cyber threats – is coming into even sharper focus.
At Michael Page, we have noticed that government and industry regulations are challenging businesses to meet a range of information security requirements, which can lead to gaps in maintaining the security control. Therefore, here are some security and privacy trends that should be on every company's radar this year, along with an analysis of how they should respond through key investment and talent attraction.
Making IoT secure by design
Security and privacy should be top of the agenda for any business that is building or using Internet of Things (IoT) networks. IoT has traditionally suffered from a poor reputation when it comes to security; companies manufacturing connected objects historically left security way down the list of priorities in the design process and didn't equip their hardware with a robust process for updating and patching software.
That's set to change: IoT users are no longer willing to accept second best when it comes to security. The field has also been given a boost by government funding: at the start of the year, the Department for Business, Energy & Industrial Strategy announced a £100m investment for information security research and development. The lion's share of the funding will be focused on helping to make security part of the design process for devices and processors, with a smaller but not insubstantial chunk of funding going towards boosting security at the periphery of networks.
The combination of increasing IoT rollouts, combined with a growing awareness of the security threat that IoT devices may present, will see businesses funnelling more investment into ensuring every piece of hardware – from the simplest to the most complex – is secured. For those planning to deploy or extend their IoT presence, that could mean adding new headcount with expertise in endpoint security, networking security, and lifecycle management, to make sure that all devices and connections are both appropriate and suitably locked down.
Embracing a more diverse workforce
The Joint Committee on the National Security Strategy announced last year, “that although the UK has one of the most vibrant digital economies in the world, there is not currently the information security skills base to match”.
In order to counter that gap, businesses are looking outside the traditional candidate pool. Earlier this year, the Department for Digital, Culture, Media, & Sport announced funding to help bring more diversity into information security, encouraging more female, BAME, and neurodiverse people to join the industry. Efforts to inspire more neurodiverse candidates to consider working in the sector have been gaining traction over the last year. The National Autism Society and others have run pilots specifically around information security recruitment, while technology companies including Microsoft and SAP have launched programs to hire more people from the autistic spectrum. Expect work to make information security and privacy a more diverse industry to continue gathering pace in the short term, with a view to not only broaden capabilities within the industry but also to address ongoing security skill gaps.
Talking the talk
While GDPR may have been the privacy story of last year, businesses are still grappling with the aftereffects of the legislation. GDPR should be just as important to organisations now as it was in 2018, but data privacy will be an extra challenge when the UK exits the European Union. Due to the current uncertainty over Brexit, companies should be exploring the potential impact of various scenarios for how they handle customers' and suppliers' information. Those with an international outlook will also need to concentrate on ensuring that they comply with recent changes to US legislation, including the need to notify the Department of Financial Services of any data breach within 72 hours.
Given the growing costs associated with avoidable security and privacy breaches, be it through fines from regulators, reputational damage, downtime, and the need to improve security systems post hoc, there's no denying that security should be a board-level issue for most companies. However, there has traditionally been a disconnect between those at the top table and those in the IT department. One of the most valuable skills that businesses need to invest in is not necessarily around implementing new frameworks or achieving next-level certifications, but those of communicating the intricacies and importance of security and privacy to individuals holding budgets and setting corporate strategy.
Ben Lyons, Operating Director, Michael Page Technology