As we see our clients continue to mature and build on their security programmes, we find they all come up against the issue of talent, and this is specifically amplified if they are unfortunate enough to become a victim of Cyber Crime. Post major incidences it’s common to find investment into new solutions is readily available, and almost encouraged to spend as quickly as possible, living in some false hope that by throwing money and platforms at the problem it will remove the chances of it happening to them again in the future.
In some way this can be true, and by investing and deploying further controls it will to some degree reduce the risk on organisations. It is however a short-term resolution to a longer-term issue, and we have always found that planning investment and clearly understanding the impact on time, and even users experience, can diminish the value on that investment over time.
What we do know is all IT Departments are under pressure, like all companies, to find and retain brilliant talent. Location can have a two-sided bearing on this, you could be fortunate enough to have an office in an area of available and skilled talent, however that also comes with the cost to recruit and retain with continual pressure from similar businesses trying to lure them in, on better packages and promises of better perks. This can create a saloon door effect, with lots of people coming in and lots of people going out. On the other side, you may be in a place of less competition and cost, lucky you, but enough talent merely doesn’t exist, so you need to be creative in how you train or find the needle that fits the requirement.
The people that do exist within IT are hardly sat around with nothing to do, they have had to continually evolve themselves over the years to keep up with the demands internally from the business and knowing what technology advancements are coming which will give your chosen business the edge. They are responsible for BAU along with the adoption of new platforms, which helpful partners in the channel have implemented into their business. The indirect correlation is that headcount does not follow the same trajectory as new platform adoption.
We have seen over the years, some great steps forward in Cyber Security platforms, which really do give businesses the upper hand. However irrespective of how much AI/ML/automation is included, post implementation it still needs watering, feeding and maintained, otherwise it will become less accurate, and that investment is wasted.
With all the pressures on the existing talent to keep BAU, innovation and new platforms up to speed, it’s no wander people get overwhelmed.
Going back to my opening paragraph, this is now all amplified further if the business is impacted by a Cyber event. The desire to remediate the issue ASAP is justified, but my caution, based upon the above, is to consider the people impact on rapid deployment of extra platforms…..extra workloads! This hard to find and valued talent can quickly become overwhelmed, the grass will suddenly look a LOT greener and no amount of promised progression, development will cover the work left with the adoption of new platforms.
Our advice is always to consider the impact on your people, consider the capacity and capability of your talent when building a cyber maturity program. Plan the adoption of new platform or services over a planned period, growing or developing your staff in line with the direction your Cyber program is going.
As part of the commercial planning on investment, build some clear development paths for people to progress their career, but relinquish old responsibilities to either new team members or outsource the right functions to service providers and always ensure the growth of people in the business runs in line with the growth in new internal platforms.
In the case of major incidences, consider what the best course of action is going to be over an extended people of time, not just the immediate resolution. Consider what are the right internal investments, people and platforms, what are the right service led investments you can make which will solve the Cyber issue but will not create a people issue. Ensure your investments are sustainable and not a short term fix that will leave you needing to resolve again in the future.