Meet your new security team: Ombudsman, marketer, digital ecosystem manager
- 19 July, 2018 06:00
Gartner highlights another challenge to organisations already facing a broad, global shortage of skilled security professionals.
In a new report, the analyst firm calls on organisations to prepare for new security roles with the rise of digital ecosystems.
“In an increasingly digital and interconnected world, mobile, cloud, IoT and OT connect to traditional IT,” notes Sam Olyaei, Gartner analyst and author of the report.
“Security and risk management leaders will need to consider new security roles to confront the challenges of this ecosystem and to address a worsening skills shortage.”
The report points out traditional cybersecurity teams are not prepared to address new cybersecurity risks that digital business programmes introduce.
Gartner research shows 68 per cent of digital organisations have a cybersecurity expert on staff, but remain incapable of managing digital risk.
Meanwhile, 90 per cent of CEOs are prioritising digital initiatives. Without adequate security resources to address digital risk, these initiatives may be delayed, the report points out.
By the time the need for new cybersecurity skills is fully obvious, it is often too late to develop a plan of action, says Gartner. The organisation has already been left exposed to active threats for some time.
Thus, Gartner recommends security and risk management leaders to assess if their current security programmes can adequately address the emerging challenges resulting from participating in digital ecosystems.
Among other things, they should develop and evolve a formal staffing framework and structure to address other new roles that emerge in this interconnected environment.
Moreover, they should plan to grow these competencies at least a year ahead.
Gartner has identified a range of emerging key roles critical to any security function involved in digital transformation.
The digital ecosystem manager will challenge security and risk management leaders to engage and demonstrate the value of the security team's work to the business. This manager coordinates risk and privacy assessments and helps the digital risk officer (another emerging role) communicate across the organisation's ecosystem. The latter includes vendors, supply chain and other external players that could impact digital risk. Responsibilities also include managing third-party risk management and compliance/regulatory mandates. states.
One of the roles, the chief of staff for security, leads IT strategic planning initiatives and communicates IT plans and performance to both functional staff and business partners.
This role is a security equivalent that reports to the chief information security officer (CISO), and interacts with functional and business unit leadership to set strategic direction in alignment with business objectives and priorities, says Gartner.
The role will remove some of the administrative tasks for the CISO so the latter can work on higher-value activities.
Another role, the data security scientist, blends the emerging disciplines of data security and data science.
The role incorporates data science and analytics into security functions and applications.
Specifically, the role determines how machine learning, artificial intelligence and analytics can be deployed to automate tasks and orchestrate security functions using algorithms and mathematical models to reduce risk.
Gartner says skills needed for this role include advanced mathematics, statistical analysis, data collection and analysis.
Another emerging role is that of security ombudsman. This role is for an experienced technology professional who will uphold the interests of constituents — users, employees, consumers — by expressing and defending what the organisation's security should prioritise.
This is similar to the newspaper ombudsman who reconciles news coverage with the public good.
“This individual ensures that the clients — often line-of-business customers — are supported by security measures,” reports Gartner.
The security ombudsman acts as a liaison or security champion, working with key people throughout the organisation from non-IT or non-security lines of business (LOBs).
Another emerging role is the threat hunter/modeler. This is a more technical role that systematically evaluates the security architecture and operations of an organisation.
Gartner also sees the rise of the security marketer. This role highlights the organisation’s core security competencies as a competitive differentiator.
Build bench strength
Meanwhile, Gartner’s 2018 CIO Agenda Survey highlights ways to manage the security skills challenges that continue to affect organisations in the midst of digitalisation.
The survey, conducted among 3,160 CIO respondents in 98 countries and across major industries, finds despite 95 per cent of CIOs expecting cyber threats to increase over the next three years, only 65 per cent of their organisations have a cybersecurity expert.
"Cybersecurity is faced with a well-documented skills shortage, which is considered a top inhibitor to innovation," says Rob McMillan, research director at Gartner. "Finding talented, driven people to handle the organisation's cybersecurity responsibilities is an endless function."
Cybersecurity remains a source of deep concern for organisations.
Many cybercriminals not only operate in ways that organisations struggle to anticipate, but also demonstrate a readiness to adapt to changing environments, says McMillan.
"In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data.”
Gartner recommends that chief information security officers (CISOs) continue to build bench strength through innovative approaches to developing the security team's capabilities.
They will have to use alternative recruiting techniques to secure and grow this talent.
Women, for instance, are underrepresented in security and risk management. Thus, CISOs should make every effort to recruit women into staff and leadership positions within security practices.
Security and risk management leaders can also identify retired or semi-retired industry veterans, many of whom have chosen to scale back while still maintaining interest in challenging roles.
Academic institutions are excellent sources of driven, inspired candidates, says Gartner.
Interaction with technical programmes and computer science departments should be a priority for organisations that have strong ties with local universities and polytechnics, it adds.
Get the latest on digital transformation: Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz