This is a contributed piece by Mark Weir, Regional Director – UK & Ireland at Fortinet
Findings from the 2015 PwC US State of Cybercrime Survey revealed that only 26 per cent of those surveyed feel they have the expertise to address the cyber risks associated with the implementation of new technologies. This means that 74 per cent of organisations don’t have the cybersecurity talent they need. Reports show the UK is among the worst affected countries globally, and experts fear Brexit may have a further negative impact on recruitment, as a result of a potential mass exodus of talent. What’s worse, the scope of the challenge is broad and growing as more and more organisations – both within the public and the private sectors – digitise their networks, adopt for more interactive applications, and move services online.
In response to the talent shortfall, the private sector is offering allurements such as stock options and larger pay checks. Public organisations, on the other hand, are trying to attract security talent by focusing on purpose, control, influence, and challenges. Its market is always broader, with more interdisciplinary opportunities and applications, and its societal influence is longer-lasting. Many people derive greater satisfaction and fulfilment from a public career than from one in private industry. However, finding the elusive talent to overcome present cyber security challenges is only part of the solution.
Most organisations are up to speed on tried and true breach methods. But what about the attacks they do not yet know about? If the method is unknown, then so is the required response. The talent shortfall, therefore, is about much more than just a limited technical pool. It’s about putting in place integrated, synchronised and automated security measures, which will help organisations protect themselves from cyber threats – a functionality that most networks, public sector or not, currently lack.
The roots of today’s technology and talent shortfall
Cybersecurity has taken centre stage because of the risks related to increasing connectivity, and because organisations continue to encounter the dangerous unknowns of cybersecurity. Nevertheless, historically most organisations have focused first on ease of connectivity, and then on security, not considering that unprotected data is unreliable and dangerous, while security without data is an empty bank vault, impressive but without function or purpose. Instead, the ultimate goal should be to coordinate and scale connectivity and security equally and simultaneously. In practice, this means organisations need to embrace integrated security, as defective, altered, manipulated, compromised, or breached data nullifies the benefits of connectivity.
Achieving this change in organisational mind-sets will require a growing security talent pool and a broader definition of the talents required for that pool. Fortunately, the UK is working to develop that talent through initiatives including the increase of spending on cyber security to £1.9bn ($2.4bn) by 2020, and the opening of a National Cyber Security Centre and Institute for Coding. However, much work remains to be done.
It’s not just about technology
Today, most organisations are responsible for a variety of interconnected systems, valuable data, and critical infrastructures. Technology alone cannot protect their systems. Each one can benefit from having a more robust cybersecurity workforce, capable of planning for and protecting them against both known and unknown threats.
Solving the cybersecurity skills gap problem effectively requires enlisting security professionals with a specific set of skills. Their expertise should cover these four key areas:
It may be easier said than done for public and private organisations to bridge the cybersecurity talent gap – but it is not impossible. The first step is to build up and reinforce the UK’s cybersecurity talent pool. One way to do this is by creating programmes and public/private partnerships to actively recruit more individuals into the cybersecurity field from universities and the armed forces. The next step is to ensure professionals’ knowledge toolbox includes the four key areas listed above, through constant education and retraining.
The sooner these initiatives are put into place, the faster organisations will have access to the talent they need to safeguard their critical data – and the better they will be able to prepare for known and unknown current and future threats.
Adrian Schofield sheds light on tech in South Africa
Mark Chillingworth on IT leadership