Across all industries, the demand for cybersecurity is greater than ever. As employees, partners, and customers increasingly want to consume information digitally, there is a need to push information to more endpoint devices. At the same time, the threat landscape is continually evolving, with attacks that are more difficult to detect and defend.
From 2020-2021, the percentage of technologies in deployment for security purposes rose from 15% to 84%, and IT leaders who are planning to increase security technology investments rose from 31% to 64% during the same period.1 But available talent to execute on these cybersecurity investments is in short supply.
In 2022, the global cybersecurity workforce grew to encompass 4.7 million people, reaching its highest-ever levels. However, there is still a need for more than 3.4 million security professionals, an increase of over 26% from 2021’s numbers.2 Research also shows that cybersecurity demand is twice as great as supply.3
The problem is compounded for workers’ comp organizations, which are highly valuable cyber targets due to the large quantities of confidential data – personal health information – they store and the estimated value for each compromised record. As of 2022, the healthcare industry was the most expensive for data breach costs for the 12th consecutive year, with an average of $10.1 million per incident.4
According to Tony Brown, Director, Information Security at Healthesystems and a 30-year cybersecurity veteran, “As a cybersecurity professional, we are hard-pressed to not only secure our sensitive data but also remain vigilant of the ever-changing landscape that is being targeted by hackers. It is a significant challenge for us that only grows larger each day as malicious actors have the upper hand with the availability of emerging tools and techniques capable of exploiting vulnerabilities in a variety of different ways.”
Security Risks: The impacts of the cybersecurity talent shortage on workers’ comp organizations are many. Sixty-seven percent of organizations worldwide agree that the shortage of qualified cybersecurity candidates creates additional risks for their organizations.5 These risks encompass all areas of the business, including application security, network security, endpoint security, cloud security, personnel security, and information security. In 2022, 80% of organizations suffered one or more breaches they could attribute to a lack of cybersecurity skills and/or awareness.6
Delayed Technological Growth: A lack of talent to execute on cybersecurity projects also results in delayed technological growth, preventing companies from adopting emerging technologies. IT executives see the talent shortage as the most significant adoption barrier to 64% of emerging technologies, compared with just 4% in 2020.7
Impacts on Business Growth: Finally, the cybersecurity talent shortage can affect an organization’s bottom line through the loss of current and potential customers. According to one study, the shortage could cost the U.S. economy more than $160 billion in revenue by 2030.8 There’s also a cost associated with cybercrime, with global financial damages totaling $6.1 trillion in 2021.9
“If you don’t have the right people, the risk increases exponentially because you’re losing the ability to know what is going on in your environment and put the right security controls in place,” explains Brown. “The first thing customers want to know is, ‘Are you a threat to me?’ If you’re not investing in security, you may be pulling yourself out of the market to gain customers.”
So, what can workers’ comp organizations do to maintain their cybersecurity standards despite the talent gap? Brown recommends that IT security leaders consider these five actions to counteract the impacts of the cybersecurity talent shortage in workers’ comp organizations:
Know the Heartbeat of Your Network: When you know what your network looks like on a “normal” day, you are better able to respond when there is an abnormal rhythm. Make continuous monitoring a priority in your day-to-day security operations.
Brown notes, “When you know the heartbeat of the network, you become familiar with the lay of the land and are in a better position to identify possible weak areas and apply the appropriate solution to reduce the risk.”
Know and Prioritize Your Security Needs: With the shortage in security professionals, you need to know where your biggest security weak point is and address it. This goes back to knowing the heartbeat of your network. Additionally, remember that not all security tools are the same and there is no one-size-fits-all approach.
“Establishing appropriate guidelines and frameworks begins with awareness,” says Brown. “Understand the value of your network. What is critical, why, and how do you protect assets? It is up to you to know your tools’ full capabilities and apply them in the most effective and efficient way possible to secure your most vital assets.”
Continually Evaluate Your Security Tools: Technology changes daily, as do security risks, so you need to make sure that the tools you have in place are fully optimized and used as intended. Are there additional ways you can employ the tools? Are you properly updating and monitoring them? Make sure your current security team has the resources, training, and support they need to be effective in their roles.
“Malicious actors are continuously changing their hacking techniques, so we must be willing to change as well and never become stagnant,” warns Brown. “As soon as we become a little too comfortable in our vigilance, malicious actors will step in and take advantage because hackers never sleep.”
Make Security a Part of Your Organizational Culture: It takes a “security army” to protect your network. Even with a full team of security professionals, you cannot do it alone. That is why it is vital to make security a part of your organizational culture. Make employees your partners in cybersecurity by giving them an understanding of the consequences of their actions and how to decrease risk.
“Humble yourself and understand that it takes an army beyond your department to have an effective security program,” says Brown. “Establish a culture of cybersecurity and make it a priority. Train people in a way that keeps them engaged.”
However, studies show that traditional security awareness training and phishing simulations have a limited impact on improving employees’ real-world cybersecurity practices.10 That’s why Brown suggests building and maintaining a viable Security Awareness and Training Education program that is relevant, fast paced, and enjoyable.
This should not be just an annual checkbox initiative; offer this training throughout the year and provide both professional and personal security tips. Ensure your CEO, CIO, HR, and other C-level executives emphasize the training. Finally, continually evaluate and evolve the training to keep up with changing cyber threats.
Consider Outsourcing to a Managed Service Security Provider (MSSP): Outsourcing your cybersecurity can help you focus on the core business while saving time and money during the recruitment and operation processes. In choosing an MSSP, make sure you find someone that can cover your weak points and areas of concern. Again, this requires knowing your “heartbeat” so that you can better voice your requirements. Know your needs and set expectations. Consider mandating consistent third-party governance standards and periodically conduct third-party audits.
“Remember, the MSSP works for you, not the other way around,” says Brown. “Make sure they are fully aware of and understand what your acceptable standards are. Fully express the MSSP’s roles, responsibilities, and deliverables.”
As you navigate the IT talent shortage in your workers’ comp organization, Brown’s top suggestion is to be patient and understand that establishing and maintaining a viable security program takes time. You must be committed to continuing your team’s education and awareness of the security landscape for emerging threats, technology, requirements, and mitigation solutions. On top of that, you should be flexible and adaptable to both the changing needs of your organization and the security landscape. Finally, foster cross-departmental knowledge sharing of cybersecurity – build that “cybersecurity army” of people across your organization so that everyone has a stake in the fight.
