The global workforce shortage for those with cybersecurity skills grew by 13% from 2022 to 2023, with approximately 4 million unfilled jobs according to a 2023 Cyber Workforce Study published by ISC2, a membership association for cybersecurity professionals. The profession would need to double in size to fill that gap, which simply isn’t possible. Rapidly emerging new technologies such as generative artificial intelligence (AI) and significant increases in ransomware attacks and
phishing attacks bring added urgency. To top it off, we have a fragmented and changing regulatory environment. Unfortunately, being a small or medium size business
doesn’t reduce your risk. Cyber criminals don’t have to distinguish the size of targets thanks to the extensive use of automated tools to carry out their criminal schemes. They simply launch attack software on the Internet that’s designed to seek out victims.
ESTABLISH A SECURITY LEADER
What are some strategies that hospitality SMBs can use to address data protection risks? Large companies typically recruit security leaders, such as a chief information security officer (CISO). They can afford higher compensation packages, supporting team members and necessary technical systems and tools. CISOs, and security leaders in general, are well qualified people who have a certified information systems security professional (CISSP) credential, and more than 10 years of relevant and varied experience with good references. CISOs are expected to have both business and soft skills, as well as broad technical knowledge. Even if you aren’t in a position to hire a CISO, these strategies can help you manage cyber risks for your company.
As an immediate first step, consider finding a virtual CISO (vCISO) or fractional CISO or a consulting firm that specializes in cybersecurity. When you contract for someone to provide these services on a part-time basis, you can expect deliverables such as:
- Assess the current status and develop prioritized recommendations on actions needed to address gaps or
areas of high-risk exposure. - Write policies that apply to all employees, such as an “Accepted Use Policy,” as well as technical policies and procedures for IT regarding vulnerability scans, firewall rules, etc.
- Design a security awareness and training program for all employees.
- Develop an incident response plan.
- Create a process to manage third-party risks, especially
If you take this approach, it’s essential to make sure you also have the IT operations capability to carry out day-to-day processes and procedures like vulnerability scanning, alert response, and access control administration.
You’ll find the companies that best meet your needs are smaller but able to tailor their services and deliverables to you. Contracting for skills and security services can fill a big gap, but you still need to appoint and authorize someone in your organization to make decisions and oversee core processes.
DEVELOP SECURITY PROFESSIONALS
Another strategy is to identify a high-potential IT employee who could be developed with mentoring and external training. Many of today’s cybersecurity professionals began their careers in roles like network engineer, programmer, and desktop support specialist. IT and cybersecurity are considered adjacent skill sets, but they aren’t identical. To carry out this strategy, you’ll need to invest in external training.
If you don’t have someone with development potential, consider recent college graduates with a major in cybersecurity. These individuals lack practical experience and business knowledge, but if you commit to mentoring them their basic training usually allows them to learn quickly.
Explore local universities and technical schools. Cybersecurity curriculums are new, and often offered as a major study area for a computer science degree. Look for a school that integrates security certifications with its course of study.
This is a good indicator that the content is relevant and properly focused on security. SANS Institute (https://www. sans.org), is the leader in my view. They offer remote online courses as well as in-person classroom training. Another school with an excellent reputation is Western Governors University (https://www.wgu.edu), which offers remote online programs and accelerated timelines for completion. Kennesaw State University (https://www.kennesaw.edu/) is also outstanding. The colleges and universities that make up the National Security Agency’s National Centers of Academic Excellence in Cybersecurity awarded Kennesaw State the 2022 First Place Outstanding Outreach Award. To add perspective, all 347 colleges and universities in the NCAE program were eligible for the recognition.
As you look at resumes, keep an eye out for certifications. Look up specific certifications to get descriptions – some are specialized technical certifications; others are more fundamental, basic credentials. Note that some certifications, such as the CISSP, require a pre-requisite of five years of relevant
experience. A new graduate wouldn’t be eligible, but may still have worthwhile certifications for your needs.
FIND ORGANIZATIONAL SUPPORT
Whether you select an internal IT person for development or recruit a new graduate, you should enroll your key person or team in local chapters of professional associations that offer opportunities for ongoing development and continuing education. Annual membership dues are reasonable and include webinars, workshops, in-person presentations and other opportunities for continuous learning.
Take advantage of free educational resources cybersecurity consulting firms offer. They’re kept up to date and address current issues. An example is the Resource Center offered by Bishop Fox at: https://bishopfox.com/resource-center, which provides guides on a wide variety of topics. Finally, security standards can provide reliable guidance for information security programs and practices. In the hospitality industry, everyone has become familiar with the Payment
Card Industry Data Security Standard (PCI DSS). Compliance with this standard is mandatory. But PCI-DSS is specific to protecting card data only.
The U.S. National Institute of Standards & Technology (NIST) offers a series of special free publications that provide comprehensive standards for protecting all confidential data. A good starting point is NIST SP 800-53, “Security and Privacy Controls for Systems and Organizations,” which covers a diverse range of risk controls to review and consider.
Another guidance standard available at no cost is CIS Critical Security Controls (https://www.cisecurity.org/controls). It offers a navigator feature that identifies the top three risk control areas for SMBs:
- Security Awareness and Skills Training
- Data Recovery
- Access Control Management
The guidance is clear and concise, although a security professional is
best qualified to implement the controls.
Finally, the non-profit Cloud Security Alliance (https://cloudsecurityalliance.org) offers content contributed by experienced cyber professionals, including a wealth of guidance regarding Cloud Service Providers.
As a word of encouragement, a critical success factor for data protection is a strong commitment from top management and collaboration among all stakeholders: finance, legal, human resources, sales and marketing and customer service. Your leadership will make a difference in using these strategies.