How can companies close the cybersecurity skills gap?

How can companies close the cybersecurity skills gap?

According to statistics from Accenture and the Ponemon Institute, attacks resulted in companies losing up to $11.7 million in 2017. The year before, this number was $9.5 million, so clearly the impact of breaches is worsening. And in the UK alone, more than half of businesses were targeted by hackers between 2016 and 2017.

These statistics mean that businesses need to be alert at all times. But the fact is, staying ahead of hackers isn’t an easy task and companies are struggling. From overstretched IT budgets to a lack of appropriately trained staff, the problems are serious and constantly mounting.

However, the biggest challenge, arguably, is around skills. Companies need access to the right specialists if they want to prevent cyber breaches from happening in the first place. But finding the right employees isn’t easy, and many people are worried that there’s a widening security skills gap. Data from job listing site Indeed shows that while there’s a demand for cyber security specialists, there’s simply not enough suitable candidates out there.

Our annual poll to find out what’s security threats are worrying security professionals: What will be the single biggest security threat of 2018?

Because of this, the majority of companies are investing in sophisticated cyber security software in the hope that it’ll prevent attacks. Yet this isn’t always the case. A report from recruitment firm Acumin claims that when firms end up relying on technology, even more security risks open up. Humans, therefore, are vital. The question is, what must CIOs and IT managers do to close this skills gap and ensure that their staff have the right know-how to fight cybercrime?


Rigorous training schemes

There are plenty of security courses around, but that’s not to say that they’re all perfect. Rory Alsop, head of information security risk oversight at the Royal Bank of Scotland, tells us that a lot of them are ineffective because they only offer “a point in time assessment of knowledge”. He says: “From the CISO’s point of view, they provide some value, but with boot camps and other courses that rapidly train individuals with just the knowledge specific to passing the exam, they do not provide a true indication of how good the individual is at his or her job. They give no validation of experience or the applicability of individuals’ knowledge to their environment.”

Alsop’s main worry is that once cyber security specialists are trained, they do nothing else to keep their skills up-to-date with evolving threats. He says the ISACA - which is a non-profit organization that supports professionals working in information security, assurance, risk management and governance - is working to change this by offering training schemes that use real-life scenarios. “Through the CSX Training Platform, ISACA provides live assessment in a lab which simulates the real world, so individuals can be assessed on their ability to deal with current problems and brand-new threats and challenges,” he says.

“They can also be tested or trained throughout the year, demonstrating their skills growth. With the continuous increase in the volume, severity and complexity of attacks impacting companies, being able to provide up-to-date training as part of an organization’s cybersecurity program is not only essential to help your organization build capability to survive future attacks, but also of high value to your staff to keep their skills and experience current.”


Exposing staff to threats

If there’s one thing that’s certain, it’s that cyberattacks affect all departments within a company. Adam Alton, a senior developer at digital product studio Potato, takes the view that businesses should foster a culture where all their employees understand different types of threats and the impact they can have. “One of the keys to getting people to care about cyber security is to talk about the subject in ways that are relevant to them — giving them real-life examples of the harm that can be done when things go wrong. Focusing on simply the technical or theoretical details just isn’t enough to interest people,” he says.

What’s it really like as a CISO within a security organisation? Find out in: CISO perspective: The rise of massive cybersecurity ‘fire’ drills

Alton says business leaders need to teach their employees about the different ways technology can be harnessed to breach companies. “Cyberattacks are usually the result of a piece of technology being used in a way that wasn't originally designed or intended, so it’s a highly innovative, creative field — which can make for a very interesting subject for discussion for all kinds of people, regardless of their current understanding,” he explains.

How can companies do this? Alton says firms should invest in hands-on, interactive courses to help staff improve their cyber security understanding. “Some employees may benefit by having hands-on courses where they could perhaps have a go using a simple wi-fi interceptor or be instructed to hack a deliberately flawed website — I wager that it would provoke a real interest in the subject, and more importantly, start making them consider the security of their own work and the company as a whole,” he adds.


Collaboration is crucial

Richard Parris, CEO at digital identity and credentials management expert Intercede, says all company executives should develop an understanding of cyber threats and encourage their employees to improve their skills in the area. His opinion is that they should act as role models. “Now it’s more important than ever that all c-level executives in any organization lead by example and educate employees about the devastating effects of a cyber-attack on a company’s customers, reputation and revenues and how they can protect themselves against cybercrime,” he says.

Parris encourages business leaders and employees to work together on fighting these threats. He says collaborative efforts are the only effective way to stop cyber criminals in their tracks. “Training and collaboration is paramount. This means everyone, no matter their position or department, must be upskilled to recognize the signs of potentially malicious activity, what to do and how to react if a breach does occur. Education about cybersecurity needs to start from the offset of employment and should be focused as much on awareness and behavior as it is about technology,” adds Parris.

He admits, though, that this can be challenge. Human error can easily bring down a business. “While education and giving employees the ability and knowledge to recognize potential attacks is important, it is only one part of the solution. We’re all human and all it takes is one employee to become victim to a phishing, piggybacking or water holing attack, and a whole database can be compromised. Instead, companies should be looking at adopting more robust and sophisticated security methods that incorporate multiple levels of authentication, adding an extra layer of security,” adds Richard.

Businesses have faced the threat of cyberattacks for years, and considering the fact that they’re only multiplying and becoming ever harder to eradicate, it’s important that firms start taking action now. While there are plenty of technologies out there to help tackle hackers, it couldn’t be clearer that humans are important in countering these attacks. Once a company’s systems are compromised, everyone is affected. And based on that, it’s critical that the entire workforce works together to combat these threats.


«How a vulnerability disclosure policy lets hackers help you


What can CIOs do to boost workplace productivity?»
Nicholas Fearn

Nicholas is a technology journalist from the Welsh valleys. He's written for a plethora of respected media sources, including The Next Web, Techradar, Gizmodo, Lifehacker, TrustedReviews, Alphr, TechWeekEurope and Mail Online, and edits Wales's leading tech publication. When he's not geeking out over Game of Thrones, he's investigating ways tech can change our lives in many different ways.

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?