Working hand-in-hand to ensure cyber security

It’s the point of no return: today, the vast majority of organisations are at now unable to manage their own security. Between the growing threat and the skills shortage, security is no longer something internal IT teams can handle.

In 2021, Cyber Ireland’s national survey, entitled ‘The Cyber Security Skills Report 2021’, found that 41 per cent of organisations' security teams are understaffed. Since then, things have only got worse: though the numbers cannot be directly mapped to the Irish ones, in 2023 one survey found that the share of organisations experiencing a shortfall of skilled IT security employees now stood at 86.6 per cent, up on 84.1 per cent in 2022.

Richard Ford, chief technology officer at Dublin-based pan-European security company Integrity360, said that the fact was that only the biggest companies could now handle their own security.

“The likes of Google, they can do everything themselves, but even top-tier banks can't afford it, and it is extremely complex and challenging, especially for non-IT companies,” he said.

Even large banks, he said, were asking how they could develop a hybrid operating model, with things that require domain knowledge handled in-house and the rest handled by a partner.

“Tactical things, certainly, you should be working with someone. With strategic things, such as mainframes or individual processes, you either collaborate on or take in-house. Things that are time consuming and repeatable, though, it makes sense to hand those off to a specialist partner,” he said.

This is not to say, however, that a managed service provider should only be doing the simple things. Far from it, said Ford: the key advantage of working with a partner is their wide and deep knowledge of security.

“We provide managed detection and response as well as the fully managed SOC [security operations centre], including triage, and we directly interface with clients,” he said.

Integrity360 embeds its security professionals inside its clients’ businesses – but it doesn’t need permanent space in the office to do so.

“We don't need to take up desk space: we have a huge investment in our operations centre in Dublin, with secure access in and out. But we do have ringfenced analysts to drop in to customers environments, and, of course, they can come in for meetings,” he said.

Beating the shortage

Given the global IT skills shortage (which is even worse in security), the question does need to be posed: if businesses cannot hire security professionals, how can managed service providers?

The answer is two-fold: firstly, those who are not ringfenced to a specific client can work across businesses. Secondly, security providers can keep these highly-skilled professionals interested.

“We offer more variety to staff, and an opportunity to learn and progress,” Ford said.

Indeed, Integrity360 finds itself on the frontlines of a battle whose lines keep shifting.

“We deal with 23,000 events per month, which are made up of 600,000 indicators or signals. And this is the tip of the iceberg, really. Our customers get the benefit of our experience with this, and that also is what keeps staff interested,” he said.

Cyber security people are not only hard to get, they are something of a special breed, so it can be hard for businesses to promote a general IT person, even an excellent one, into the field.

“They need that real curiosity – they need to be the kind of person who pulls on a thread when they find it,” Ford said.

On the positive side, Ford said, businesses are all too aware of the nature of the threat they face – and this is a real change from years gone by.

“I would say that major beaches have made it an issue at board level [so] now cyber security is something that people take seriously, on the whole.”

On the whole, though. Not everyone. And remedial action is far more difficult and disruptive than taking an active approach to security.

“There are organisations who are not taking it seriously, and they are the ones who find it hardest to recover,” he said.

Part of the shift is related to a wider trend of getting expert help across all aspects of enterprise IT.

“The cloud had definitely accelerated the desire to push the responsibility out to a service provider,” Ford said.

“You can do measurements of time to recover, but really it’s about gauging your maturity in security across the organisation. ISO certification is a start.”

However, it is not just a willingness to collaborate that marks the current era. Another notable fact is the increased threat. For example, attacks are speeding up, Ford said, with shortening ‘dwell times’ between the moment of penetration and that of execution.

“Threat actors are getting down to a time of three weeks. Nation states, at the very high end, will sit around for a long time, but otherwise the [previously lengthy] dwell time has been largely due to the access brokers selling on to other actors. One report had it down to 16 days, which is a huge drop from what it was before at around 240 days,” he said.

There is no question that hackers are becoming more professional. In fact, it is now known that breaking into people’s computers is itself organised in the fashion of an industry, complete with their own service providers dividing labour and even ‘customer’ service support.

“When you talk about it, it sounds mad, you think ‘this can't be true’, but it is true. We’ve seen the data from the Conti leak, so we [all] need to protect ourselves and mitigate as much as possible and then have the skills, expertise and processes so that if something does happen we can shut it down and recover,” Ford said.

“Cyber security often gets likened to buying insurance, and like insurance you want it to do what needs to be done. Unfortunately, a lot find their spend hasn't been wise. However, insurance doesn't stop you from crashing your car [but] good security should go a long way toward stopping a breach,” he said.

Despite all of this, Ford said he is opposed to the spreading of fear. Real protection is available, he said.

“There is too much doom and gloom in the industry. We're here to empower organisations,” he said.