How CISA Helps SMBs Address the Security Talent Gap
One number kept popping up at this year’s (ISC)2 Security Congress in Las Vegas: 98.5%. Attendees at this year’s event heard CEO Clar Rosso and other speakers share that number a few times. What is 98.5%? It is the percentage of small businesses without a cybersecurity professional on staff.
While it wasn’t made clear if that number took into account small businesses that relied on MSSPs and outside help to handle their cybersecurity needs, the takeaway was that when organizations don’t have ready access to cybersecurity knowledge, it can become a risk that goes beyond a single company. Because businesses are so interconnected, a successful phishing email at a company of five people could end up impacting large corporations that are part of that small shop’s supply chain.
Even if there is some cybersecurity knowledge within the SMB, that doesn’t mean the security professional or team has a clear overview of what is happening within the threat landscape. Sharing threat information is still in its earliest stages of maturity, and a small company is more likely to be left out in the cold about the latest attack vectors and malware strains.
No organization should be left unprotected. There is help out there, however, and it comes from the federal government. Even though Congress still can’t get its act together to pass real cybersecurity and data privacy legislation, the Cybersecurity and Infrastructure Security Agency (CISA) offers resources for small businesses. There are resources to help SMBs create security policies and best practices, as well as advice on the type of roles needed to build an internal security knowledge base. But directions on a website aren’t enough.
Joint Cyber Defense Collaboration
There’s a need for a partnership between the private sector and the government, Dr. David Mussington, executive assistant director for infrastructure security, CISA, Department of Homeland Security (DHS), said in a fireside chat with Rosso on the second day of the Security Congress.
“History has shown that collaborative defense and risk management is the only way,” Mussington stated. No one entity has total insight into cybersecurity, so organizations need to learn from each other and work together. At its most basic level, it is information sharing of real events, rigorously discovered and corroborated and mitigation steps, Mussington said.
The Joint Cyber Defense Collaboration pushes this partnership to the next level, bringing together a partnership of government agencies and private sector tech and security companies who can discover and remediate threats at the lowest levels of engagement.
“It’s the idea of collaboration helping the ecosystem versus one at a time,” said Mussington.
What needs to improve is anticipating what threat actors will do, especially where SMBs, nonprofits and academic institutions are at risk. There is a greater need for critical insights into threats and attacks, which is something that CISA and government agencies are working toward.
Mediating Security Gaps for SMBs
The talent shortage certainly plays a role in the lack of cybersecurity professionals on staff at SMBs. Budgets also play a role—the organization may simply not be able to pay a competitive salary to have someone around, even on a part-time or consulting basis. One approach encouraged at Security Congress was to be more creative and think outside the box when it comes to deciding who would make a good security pro. (ISC)2 is taking steps to build a security workforce with an entry-level security certificate. The CISA resource pages also offer guidance on how to approach security teams internally.
But building internally takes time. As the SMB is putting together their internal security knowledge base, they can turn to CISA for help to mediate their security gaps.
“We also have a field force,” said Mussington. Spread across the country in ten regional offices, there are cybersecurity advisors who can help SMBs handle security issues. To get the best help from the CISA field offices—keeping in mind that there are only 140 staff members available to help while there are thousands of companies who need assistance—Mussington recommended SMBs learn all they can from the self-help tools found on CISA.gov first. This will help the SMB staff be able to ask more focused questions of the CISA team while allowing CISA to organize the best response.
The workforce gap has a real impact on cybersecurity across organizations of all sizes and has national security implications. SMBs need in-house cybersecurity knowledge as much as large enterprises do. CISA can’t do everything for SMBs, but it offers a support system so SMBs aren’t dealing with the problem alone.
