The lack of skills across info-sec and cyber security is well-documented, but what is the solution? This is something I have been discussing with CISOs across the globe over recent months.
As the volume of data breaches continue to rise at an unprecedented rate, cybercrime has become a fact of life in the digital age. Named ‘the worst year ever’ for cyber incidents by the Online Trust Alliance, 2017 saw the number of cyber-attacks targeting businesses nearly double from 82,000 in 2016 to a staggering 159,700 the following year. Considering the majority of cyberattacks go unreported, however, the OTA noted that the true number of incidents in 2017 could actually sit somewhere above the 350,000 mark.
Naturally, most business leaders today recognise the need to improve their cyber-security profile - in fact, results of PwC’s 20th Global CEO Survey found that nearly two-thirds (62%) of the global CEOs surveyed viewed cyber threats as an ongoing concern for their organisation’s growth prospects. Unsurprisingly, the research further revealed that 78% of CEOs are concerned about the lack of relevant IT skills in their organisation - and so they should be. By 2019, it’s anticipated that there will be a global shortage of 2 million information security experts; a headline that is music to the ears of cyber criminals (and maybe, just maybe the MD of an Info-Sec recruitment consultancy….)
Due to the rate at which we have seen attack methods evolve and grow in sophistication, the cybersecurity skills gap has become a ticking time bomb: if we wait to tackle it, it will be come increasingly harder to resolve.Faced with a lack of talent and an increasingly dangerous landscape, what is an organisation to do to protect itself?
1. Hire on potential
As our digital capabilities have increased, too has our vulnerability: now more than ever, businesses must prioritise the recruitment of info-security professionals lest their networks be open to opportunistic hackers. Due to the shortage of experts in this field, however, recruiting for this role will be a little less straightforward. Rather than giving up the search when no talented candidates come along, leaders and hiring managers must broaden their search criteria and consider the potential that lies within other disciplines.
When scouring IT departments for the next convert, how about looking beyond the obvious? For example, a talented communications professional may not seem like the obvious choice for a cyber-security role, but their ability to take complex information and distil it into something that others can engage with could prove useful in relaying complex security related information as well as the importance of cybersecurity practices to the wider business. Similarly, professionals with a background in accountancy usually pride themselves for strong attention to detail, a critical requirement within the role of a cyber-security expert.
2. Increase investment in training
If the next generation of cyber security individuals are going to be able to make the right decisions, today’s business leaders must take responsibility for their formal training. It isn’t enough to encourage external courses or assume those who are interested will learn in their spare time: instead, leadership teams and middle management must actively engage their staff in cyber awareness; they must ensure that opportunities are available for any member of staff seeking to gain new skills and improve employability in the future - after all, a well-trained cyber-security professional has become a hot commodity in the employment landscape. In order to address some part of the growing demand for cyber-security skills, employers must shift away from outsourcing / offshoring and focus on building internal teams.
3. Broadening experience of employees
For both large corporates and SME’s, using cross training and knowledge enablement is a vital step to helping address the shortages. Ensuring that existing teams are aware of each others roles and have gained exposure to the challenges posed could prove invaluable in balancing our productivity fluctuations. Taking this step further and giving exposure (perhaps a day shadowing) to other employees across the business who have shown an interest not only opens up a potential talent pool but also build stronger internal relationships which in turn helps with the general information security messaging
Of course these aren't quick fixes and not all options will be appropriate at all times. But if they've worked for others, why couldn't they work for you?
Share this article...