A holistic view on solving the cyber security skills gap

Organisations need to focus on development and diversity and target traits over skills

Cyber attacks are increasing in prevalence and disruptive potential, and several high profile breaches and data leaks have acted as a major wake-up call as to just how vulnerable critical systems are to disruption and damage.

Recent years have also seen the threat landscape evolve – from sophisticated individuals to organised crime enterprises and the rise of state-sponsored hackers. These groups are targeting vertical sectors in a bid to cause harm, seize money and sabotage infrastructure, with several rogue nation states sponsoring economic espionage on an industrial scale.

Alongside inflicting serious reputational damage and harm, the commercial impact of these attacks is rising and expected to accelerate, particularly as cloud and IoT adoption continue. Lloyd’s of London estimates the global cost of a serious cyberattack to be more than £92 billion, while the UK government’s 2018 Cyber Security Breaches Survey found nearly half of UK businesses had fallen victim to cyberattacks or security breaches in the last year.

Quantifying the skills shortage

Cyber security is consistently rated as one of the most problematic skills shortage areas in the enterprise. In 2018, over 50 per cent of companies surveyed by the ESG (Enterprise Strategy Group) said this issue was impacting their business. Meanwhile, a recent survey commissioned by (ISC)² identified a glaring skills gap on the horizon, projecting that the overall cyber security skills shortage is set to rise to 350,000 workers in Europe by 2022.

With cyber security professionals in short supply, many are under enormous pressure to meet the challenges of the modern cyber security environment. Understaffed firms are already fighting for top talent, but under significant resource pressure and battling relentless workloads, the risk of losing these vital personnel due to burn out and stress is increasing. Organisations need to apply some holistic thinking to address the impact.

Development, not recruitment

Recruiting new cyber talent is not the answer. To address the skills gap, organisations need to extend their talent pools in other ways. For example, the (ISC)² survey found that 48 per cent of IT staff are looking to become certified in some form of cyber security. Implementing a clear career progression path for those taking on cyber security duties will help incentivise existing IT personnel to join the cyber security ranks.

Forward thinking chief information security officers (CISOs) are investing in increasing staff competencies and supporting career development through mentoring and training in a bid to enable the right expertise needed to counter today’s threat climate. But bolstering the cyber security workforce means businesses also need to broaden the range of potential candidates and focus their recruitment efforts on those from non-technical backgrounds to help ease the skills shortage.

Traits over skills

This means considering people with the potential to work in a collaborative and smart way to solve problems, for example ex-military veterans. Veterans Work, a collaborative research project led by the Officers’ Association, Deloitte and Forces in Mind Trust sets out a compelling business case for hiring veterans; they are problem solvers, ask the right questions, perform well in strategic management roles and the management and motivation of staff.

A wider scope

Organisations not investing in training and development programmes for individuals from a non-technical background are taking a short-sighted approach – one that exposes the enterprise to greater risk as the threat landscape continues to evolve over the coming years. Considering that a significant proportion of executives and C-Suite professionals have arrived in the industry via non-technical careers, companies cannot ignore the fact that employees from any walk of life can rapidly acquire the technical know-how and experience required to do the job.

When it comes to mining the potential of the female empowered workforce, numerous national programmes are encouraging women to acquire cyber skills. The UK’s National Cyber Security Centre has created courses to encourage girls to consider studying the subject at A-level and university. Similarly, since 2013 the Code First: Girls organisation has been supporting young adult and working age women in the UK to develop further professional skills, such as coding and programming, and working with companies to help them capture top female tech talent.

Bringing cyber security to the masses

A key aspect of taking a more holistic approach to cyber training is increasing cyber awareness for all employees. This needs to be a top priority. According to the Online Trust Alliance, 93 per cent of all breaches in 2017 could have been prevented by basic cyber hygiene. Similarly, Verizon’s 2017 Data Breach Information Report highlights how 81 per cent of breaches resulted from stolen or weak passwords.

Initiating regular short training sessions for the entire workforce, exploring topics such as phishing – so that employees are primed to recognise a threat and know who to alert – is a must. Training input needs to be to the point, relevant, in the moment and reinforced regularly, so that everyone understands the latest threat trends and their responsibilities in relation to keeping company and customer data safe.

In the face of a persistent shortage of cyber security skills, companies need to take a new look at people and resources to maximise their resilience to attack. From broadening their view of the workforce to developing new, previously untapped, candidate pools and extending cyber security awareness and training to the wider workforce, taking a more holistic approach can help organisations adapt and ensure the new digital workplace stays protected.