Day: October 26, 2018

2,930,000

That is the size of the global cybersecurity workforce gap. The breakdown is around 498,000 in North America, 136,000 in Latin America, 142,000 in Europe, the Middle East and Africa, with the largest deficit coming in Asia Pacific at 2.14 million. But what does this big, scary number even mean? Where did it come from?

First, this new Cybersecurity Workforce Study from (ISC)² has evolved from past studies to become a more accurate representation of the broader workforce. We surveyed nearly 1,500 professionals around the world who spend at least 25% of their time on cybersecurity activities, which includes IT/ICT professionals who previously may not have been considered part of the cyber workforce.

To ensure our numbers were accurate and representative, we worked with our research partner (Spiceworks) to develop a rigorous sample design for each region. The sample within each country was controlled to ensure a mix of company sizes and industries. Some statistically significant differences between regions noted in the report may be due to regional differences in scale usage.

With a more precise look at who is actually doing the work, we also changed how the gap itself was calculated. Some legacy gap calculations subtracted supply from demand which didn’t consider relevant factors like organizational growth.

For the demand, we start with a calculation of the current percent of organizations with job openings – this represents the expected share of organizations that will have hiring demand. Among organizations surveyed, most (83%) indicated that they had open cybersecurity positions. Next, average hires are estimated.  To make the number more precise, we used information across company size and combine these estimates to extrapolate future staffing needs for the total market (all business entities) using data from various government sources.¹

Our calculation of the supply includes new entrants to the field – academic and nonacademic alike – which was linked to secondary market data. We also took into account the number of/rate of professionals who historically have shifted into roles with more cybersecurity responsibilities by combining both primary survey data with secondary market data.²

What Does the Gap Mean?

Our research does not propose there are 2.93 million cybersecurity job postings open right now. The (ISC)² Cybersecurity Workforce Study gap is an assessment of the demand for skilled cyber professionals based on the input from the cybersecurity workforce on the front lines every day. But what does this actually mean to the workforce?

Globally 37% of professionals stated the lack of skilled/experienced cybersecurity personnel was their top job concern. Additionally, 63% of respondents said their organizations have a shortage of staff dedicated to cybersecurity, and 60% said their organizations were at a moderate or extreme risk of cyberattacks due to that shortage.

Our industry is painfully aware of the challenges that organizations face when staffing qualified cyber teams, and the purpose of finding and sharing the gap is not to shout that the sky is falling, but rather build awareness of the need for talent and training, and advocate for solutions that will benefit the workforce, and to ultimately inspire a safe and secure cyber world.

For more on the impact of the gap, and other findings from the study, download the full report.

¹: U.S. Census Bureau – Geography Area Series: County Business Patterns by Employment Size Class (2015 Business Patterns), Statistics Canada, Instituto Nacional De Estadistica Y Geografia (Mexico), Office for National Statistics (U.K.), EU Commission and Statistisches Bundesamt (Destatis) (France and Germany), Australian Bureau of Statistics, Statistics Bureau, Ministry of Internal Affairs and Communications (Japan)

²: Wharton School of the University of Pennsylvania, CompTIA Cyberstates 2018, Cybersecurity Workforce Alliance (Australia)

Source: https://blog.isc2.org/isc2_blog/2018/10/workforce-study-methodology-and-defining-the-gap.html

[(ISC)² Blog]

The European Union General Data Protection Regulation (GDPR), which took full effect in May this year, solidifies the protection of data subjects’ “personal data,” harmonizes the data privacy laws across Europe and protects and empowers EU citizens’ data privacy, in addition to changing the way data is managed and handled by organizations.

The GDPR regulation affects people across the globe. The scope of GDPR is quite wide-ranging, and can apply to many global institutions with operations in Europe. Certainly, GDPR has created more power for data regulators, due to the severe potential financial penalties for non-compliance (maximum of 4 percent of annual global turnover or €20 Million, whichever is higher).

A few of the key things to know about GDPR are:

• The regulation governs how institutions collect, record, use, disclose, store, alter, disseminate, and process the personal data of individuals in the EU.
• If a breach involves personal data, the Data Protection Authorities must be notified within 72 hours.
• It governs the rights of data subjects, including rights to access, rectification, erasure, restricting processing, data portability, and rights in relation to automated decision-making and profiles.

How do I assess my GDPR compliance?
All these are essential reasons for institutions to ensure that the proper governance and tactical steps are taken for compliance with GDPR regulation. The GDPR Audit Program Bundle developed by ISACA does just this by helping provide institutions with a guide for assessing, validating, and reinforcing the GDPR regulations by which institutions must abide. The audit program was developed to provide enterprises with a baseline focusing on several key areas and their respective sub-processes, that covers all key components of GDPR, including:

• Data governance
• Acquiring, identifying and classifying personal data
• Managing personal data risk
• Managing personal data security
• Managing the personal data supply chain
• Managing incidents and breaches, create and maintain awareness
• Properly organizing a data privacy organization within your institution

Also included are key testing steps involving control category types and frequency to help facilitate the effective discussion and analysis as it fits your institution. The important thing to remember is that there is no absolute right way to go about becoming GDPR-compliant. However, a robust and thorough review of your GDPR environment as it pertains to data processing for your institution is required to ensure a proper baseline is used to assess compliance and successfully execute a GDPR compliance program.

Editor’s note: ISACA has addressed both general and particular audit perspectives for GDPR through its new GDPR Audit Program Bundle. Download the audit program bundle here. Access a complimentary white paper, “How To Audit GDPR,” here.

Mohammed J. Khan, CISA, CRISC, CIPM, Global Audit Head – IT, Privacy, Medical Device Cybersecurity

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1091

[ISACA Now Blog]

The recent ISACA-CMMI Institute cybersecurity culture research illustrates the accomplishments and gaps that are seen in organizations’ cybersecurity culture. The survey-driven research focuses on culture and continuous improvement, both essential components to a successful cyber risk management program.

In this blog post, I will highlight some of the survey’s findings and then discuss ways you can improve your organization’s cybersecurity culture.

Some positive steps I noticed:

• 75% of organizations are getting management more involved with cybersecurity culture
• Most organizations can identify business benefits realized through better cybersecurity
• 87% think that better cybersecurity would improve profitability or viability

Some gaps:

• 60% of organizations do not have very successful employee buy-in
• 42% of firms do not have a cybersecurity culture plan
• 55% think the CISO owns cybersecurity culture

Achieving a strong cybersecurity culture requires action on many fronts: people, process, technology and outside partners. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that most organizations are getting management more involved. However, it is important that the C-level regularly communicates the importance of security to management and to employees. An annual communication to all employees will not work.

Continuous, incremental improvement is vital. In fact, the root of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and specific elements, like risk management. An effective risk management program is the basis for a good cybersecurity culture.

What factors inhibit continuous improvement of risk management programs (and associated cyber security culture)? Humans can grow but do not accept dire reports of impending disaster – think of Cassandra and the Trojan Horse. Humans may, however, accept incremental adjustments in risk awareness or mitigations. Another reason risk management programs fail to get support is that the CISO is not seen as a “business partner” with other top executives. A promising metric for me was that 87% of respondents believe that better security can lead to better business outcomes. CISOs need to speak in terms of business benefits in order to be a business partner with other CXOs. CISOs also need to build personal relationships with their C-level peers.

Process is the next critical piece of the cultural puzzle. I’m not talking about cybersecurity processes like “patch management” or “privileged identity management.” I am referring to the processes to build a cybersecurity culture. One thing I noticed in the survey is that 55% of respondents think the CISO is responsible for corporate cybersecurity culture and only 6% assign this to HR. I believe that any cultural change must be supported by a partnership involving HR or other “people-focused” centers of influence. Cybersecurity culture is really not different than any other type of culture and established cultural transformation processes can be harnessed for cybersecurity. Businesses have been changing or reviving cultures for years; there is no need to reinvent the wheel.

One resource for cultural transformation is John Kotter’s eight-step model for transformation. Cultural change is the last step in the transformation process. It is preceded by defining a sense of urgency, forming a powerful coalition and five additional enabling steps. Another model for organizational change is Jay Galbraith’s Star model. He highlights the five functions needed in designing an organization: strategy, structure, processes, rewards and people.

These functions can be utilized to create or transform the security organization and culture that you want in your business.

Frederick Scholl, Ph.D., Cyber Security Program Director, Quinnipiac University

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1089

[ISACA Now Blog]

The cloud computing market is growing ever so rapidly. Affordable, efficient, and scalable, cloud computing remains the best solution for most businesses, and it is heartening to see the number of customers deploying cloud services continue to grow.

From the beginning of cloud’s existence, cloud service security has been among the top concerns of deployment. In order to deal with this, various organizations have invested huge efforts on cloud service security standards and researching best practices development and enforcement. Thanks to the efforts of cloud service providers (CSPs), cloud service security has reached an acceptable level. But from the cloud customers’ perspective, it is still somewhat lacking in best practices on how to secure their cloud services. The availability of such guidelines can be especially helpful for small and medium enterprises (SMEs) that constantly face shortages of professional security manpower. With this in mind, the Cloud Security Services Management (CSSM) Working Group developed the “Guideline on Effectively Managing Security Service in the Cloud” that applies to various cloud deployment models, from private, public, hybrid to community cloud.

The shared security responsibility model is no stranger to the cloud security community. Every leading CSP has published whitepapers or statements on shared security responsibility, explaining their roles and responsibilities in cloud provisioning. In other words, there are certain security responsibilities that are left to the cloud customers and are written down in cloud service agreements. The complexity is that in reality, given the same concept of shared responsibility, there are different interpretations and implementations among different CSPs. In many cases, it is challenging for cloud customers to clearly understand and bear their responsibilities in practice.

Cloud service security: A how-to

The Guideline provides an easy-to-understand guidance to cloud customers on how to design, deploy, and operate a secure cloud service with respect to different cloud service models, namely IaaS, PaaS, and SaaS, helping them ensure the secure running of service systems. With a distinct separation of responsibilities, cloud customers can clearly understand security responsibilities of their own and of CSPs, what security assurance features should be provided to bear these security responsibilities, existing gaps, and how to develop related capabilities to address such gaps.

Additionally, the Guideline provides guidance for CSPs in building cloud platform security assurance systems which can also be used by cloud service security integrators.

Not forgetting third-party security service providers that play important roles in securing cloud services, although according to the shared security responsibility model, they will have no responsibilities in cloud, these providers can leverage on the Guideline to better fit their services to CSPs and/or cloud customers.

The CSSM WG hopes that this effort allows for better understanding of cloud security responsibilities from both customers and CSPs, and through this create a more immaculate cloud security ecosystem.

Download the Guideline on Effectively Managing Security Service in the Cloud now.

Dr. Kai Chen, Director of Cybersecurity Technology, Huawei Technologies Co. Ltd.

Source: https://blog.cloudsecurityalliance.org/2018/10/16/guideline-managing-cloud-security-service/

[Cloud Security Alliance Blog]