Normally it is fairly easy to staff IT activities. There are plenty of people skilled in performing infrastructure operations, desktop support, development & application maintenance. You can either employ generalists or outsource the work to your IT service provider.
The reverse is true for cyber security. There is a severe shortage of skilled people in this new discipline, and generalists are of little use. Intruders will quickly find and exploit gaps in your defenses, and so you need specialists who are just as smart as the hackers. The range of specialist skills is daunting: digital security architects; security for networks, servers, applications, end user devices; penetration testing; intrusion detection; incident response… just to name a few.
Only large-cap companies can afford to employ a cohesive staff with all these specialist skills, and they have to pay a premium for such people. Mid-cap and small-cap companies have to make do with a few generalists, plus some staff augmentation by contractors or third party vendors. The obvious consequences are that the coverage is patchy; the defenses are good in places and bad in others; and the support is often limited to normal working hours.
Intruders don’t work normal office hours, and they have tools to discover weaknesses and exploit them. On average it takes a company 212 days to discover a successful intrusion, and by then it is too late to do anything about it. Although you hear a lot about cyber hacking in the media, the vast majority of cases go unreported because the victim never discovered the intrusion, or does not want clients to know about their exposure.
Nature has a way of correcting these imbalances in skills, and no doubt Universities and technical colleges will be producing a wave of cyber security graduates within the next decade. Meantime, you have a couple of choices to keep the barbarians out of your fortress. Engage a company that provides a “Virtual CISO” team. They have dozens of specialists that cover the entire spectrum of cyber security skills and best-practices, and they can provide you with a changing blend of fractional specialists (say one day per month of ethical hacking) according to your needs. So when a compromise is detected, they can storm the problem with lots of people for a short time and snuff out the attack, but still maintain a low average staffing (say one full time equivalent) and an affordable cost. Your second option is to upskill your team with CISSP training (Certified Information Systems Security Professional) with an accelerated program of less than one year. Integrated Cyber offers both of these solutions, and would be pleased to solve your problems for you!