You only have to look at the latest news headlines to see that the critical national infrastructure (CNI) is facing growing risks. Whether it’s hackers trying to poison water supply in Florida City or cyber attacks forcing planes to be grounded, attacks and risks are growing and organisations simple cannot afford to be complacent.
Any exploitable security vulnerabilities in our CNI can pose significant dangers, including risk to public safety and even loss of life. And while security teams and engineers are doing a fantastic work to manage a complex security ecosystem, the pressures on many are high.
As well as operational challenges, such as weighing up the need to patch systems against continual availability, teams are facing a growing number of increasingly sophisticated attacks which could be causing many to question the robustness of their security processes. Indeed, our research showed that while over three quarters of CNI organisations are confident their OT systems are protected from cyber threats, less than a third of these (28%) are very confident, leaving margin for error.
This coupled with the greater focus on security compliance driven the NIS Directive, greater inter-connectivity of systems, and the need to update ageing infrastructure, means that It and security teams are being pulled in multiple directions. But is this sustainable long-term?
Security teams are burning out
Not surprisingly, 85% of those surveyed in our research agree that they have felt an increasing pressure to improve cyber security controls for the OT / ICS environment in the last 12 months – and that’s aside from supporting remote working in the current circumstances!
This is also reflected in the fact that burnout of employees was listed as a top three challenge facing organisations today, stated by nearly one fifth (19%) or organisations, following lack of knowledge/ skills (23%) and an increase in responsibilities (23%). However, perhaps more worrying is the impact on employees. Of those that said they were under increasing pressure, this is manifesting in a number of ways, including unsustainable levels of increased stress, burnout which has resulted with absence from the business, anxiety and resignations. And with a cyber security skills shortage well acknowledged in Europe, organisations can’t afford to lose staff.
Time for action
Cyber security can be extremely stressful for any IT team, but perhaps more so in CNI sectors where vulnerabilities can pose significant dangers. Often pressures are made more stressful for CISOs by a lack of budget and the risk of being held accountable for failures almost wholly outside of their control. Teams need to be constantly vigilant and monitoring against attacks and plugging gaps, whereas an attacker just has to be lucky once, finding a vulnerability and acting on it.
Evidently work needs to be done to alleviate the pressure on CISOs and their teams. This could be greater investment into cyber security budgets, re-organisation of current teams, or looking to third parties for extra guidance and support.
We’re seeing more organisations thinking outside the box and adopting an outsourced approach to cyber security, engaging our team of independent experts to help them plug skills gaps and work with them to identify, hire and train up the best candidates. This approach means organisations get the support of a trusted advisor, while also working to build up their own internal knowledge. Employees also benefit as they feel the company has invested in their development and growth.