A lack of internal training
Chances are you already have future security pros within your own ranks -- it would stand to reason that businesses have turned to internal talent to find cybersecurity experts. But, according to the data from Spiceworks, that's not necessarily the case. When asked how willing they would be to invest in IT training for 2016, 57 percent said they were "somewhat open, but it would take some convincing," while only 6 percent said they were "extremely open" and had already made investments in training.
"Smart people within your own ranks have the huge advantage of already knowing the context of the enterprise to be protected. By using in-house staff, you can save on the time it takes to teach them the context of the enterprise," says Ryan Hohimer, co-founder and CTO of DarkLight Cyber.
Beyond training your own IT pros in security, Hodges also recommends educating your employees, as they can often be one of the biggest in-house data risks. He suggests focusing on building a culture around security that includes emphasizing a "data privacy first" attitude, encouraging only collecting data that is necessary and ensuring they understand how to get rid of unneeded data.
"This can go a long way to supplementing the lack of in-house resources, because at the end of the day, cybersecurity is ultimately everyone's job," he says.
It might take some convincing to get the budgets in place to train internal workers -- but Apratim Purakayastha, CTO at Skillsoft, says it needs to be framed as an investment rather than a cost. By investing in training, you'll create an internal workforce that will help you avoid major profit losses in the event of a breach.
Cybersecurity is a full-time job
One caveat to training your own employees on cybersecurity is that you will need to accommodate for the fact that it will become a full-time job. You can't expect your IT pros to juggle networks, servers, hardware, software and cybersecurity. Cybersecurity professionals have to spend a lot of time figuring out every possible way someone could attack your business, says Van Allen.
"Simply put, everything is growing more complex. The threats are more complex, as are the networks attackers are attempting to breach and compromise," he says.
That means you need to give cybersecurity professionals the time, budget and resources they need to develop preventative strategies. You don't want to rely on strictly reactive solutions to security. Van Allen says this requires a "holistic view" of cybersecurity, especially since these types of threats are only going to grow more complex in coming years.
If you're dragging your feet on hiring a cybersecurity expert or training someone within your own ranks, you might be throwing money out the window. Hodges says that data breaches have simply become part of the cost of doing business, so they should be planned for and ultimately expected; and a great way to avoid spending millions on a security breach is to be prepared for one.
Sign up for Computerworld eNewsletters.