Ensuring the specialists are there when you need them

Few organisations have the resources to recruit specialists into their cybersecurity teams, which is why outsourcing to specialist security providers is such a vital tool in the fight against bad actors

Cathal Slattery, director of cybersecurity at Ekco: ‘More and more organisations realise the importance of outsourcing to specialist security professionals because they just can’t attract that talent internally.’ Picture: City Headshots

The issue with cybersecurity is someone can’t be an expert at all aspects of it. From cloud to IoT to infrastructure, many components of the average business require different skillsets to properly manage and protect an organisation.

The challenge is always finding the right talent to protect the company, which is where organisations like Ekco come into play. Bringing in a diverse team in-house is out of reach for all but a few multinationals.

“I’d compare it to a surgeon in that you can’t have one who’s a specialist at everything,” Cathal Slattery, director of cybersecurity at Ekco, said. “It’s not feasible; they have to pick their specialty and for SMEs, security has become so much more that you need people with specialist experience within your team, or there’s going to be flaws in your security posture.”

“More and more organisations realise the importance of outsourcing to specialist security professionals because they just can’t attract that talent internally.”

If you bring in a third party to look after security and privacy, it opens up a wide array of specialist services that can help protect your company. They can then focus on understanding the lie of the land before thinking about security.

As Slattery mentions, the real questions go beyond just IT or security. They involve the core drivers of your business.

“We come in with that subject matter expertise-type approach where we look at what the strategy of the company is and what the main business drivers are,” he said. “It’s not just looking at security; it’s looking at what makes money for the company, what are the crown jewels they need to protect and forming a robust security strategy around that.”

"We focus on what security risks keep executives up at night and it is a really important place to start with as they understand their business best.”

Likewise, Ekco is seeing growing demand for offerings like Chief Information Security Officer (CISO) as a service where that industry experience is so valuable to organisations. Having those who live and breathe security and have an innate understanding of risk will make all the difference in improving an organisation’s security posture.

“A primary benefit is that getting the best level of talent in a CISO normally is a huge cost and investment,” he said. “This can be a model of one or two days a week where you’re getting that industry experience for the right amount of time for an organisation of that size.”

Many of these strategies come back to the three main principles: people, processes and technologies. Having that guiding star of knowing the ins and outs of a business and what to protect is the best way of creating a tailored fit-for-purpose strategy for an organisation.

Yet even when you assess your business, it’s easy to forget that it’s about continuous improvement across the board. What could be a perceived strength may turn out to be a weakness which can be surprising when they undertake independent security testing.

“Even with strengths, when there’s an independent assessment done, organisations start to realise their strengths aren’t as strong as they thought they were,” he said. “It then becomes about how they allocate their resources most effectively across the board.”

One of the potential concerns in organisations is that with the cost of living increasing, they could divert funds from security into other areas of the business. The risk behind that is that recovering from a breach or attack is substantially more expensive than taking a proactive approach to security.

Mature organisations understand that a risk-based approach is the best choice with a limited budget. They focus on measuring blocked attacks and ROI reports to give them a clearer picture of the threats they face.

“By having those metrics, they’re able to maintain their budget, if not increase it year-on-year so it varies from organisation to organisation,” he said.

The future of security and privacy depends on striking a right balance between the right people protecting your business and automation. People are at the heart of security, but it is also beneficial to take as much of the burden away from them, which will mean automation, AI and machine learning.

The traditional view of automation is utilising it for more monotonous, repetitive tasks. The more future-looking approach is automation through techniques such as XDR for automated threat detection and response capabilities.

“It leverages the power of these tools to reduce the volume of security alerts, which in turn allows security personnel to focus on the higher-value threats to the business,” he said.

"It really adds a level of advanced defence capabilities to an overall security strategy. That’s the future for anything within security. Taking out human behaviour to a certain extent, allowing people to focus on the more important elements of security alerts facing the business because there’s only so much information they can take in, prioritise and action.”