Addressing the Cyberskills Shortage
Article submitted by Lawrence Roberts, Cybersecurity Specialist at Tech Data
Why is cyber security so tricky to get right? For one thing, there is a skills shortage amongst IT professionals. So, what can be done to fix the skills gap and make cybersecurity more accessible?
Digital data and operations are already at the core of most modern organisations, and this trend is only increasing. But, with this reliance on computerised systems comes a variety of cyberthreats. These risks may be internal, originating with employees and contractors. They may be external, the result of activity by cybercriminals or even your own customers. They may be deliberate acts of data theft or disruption, or they may simply be caused by human error and negligence.
No matter where or why a cyberthreat originates, it has the potential to be devastating to companies, their employees, and their customers. That’s why it’s important to understand cybersecurity practices and tactics for effectively defending against hazards in the digital world.
The cyber threat landscape is constantly changing. It’s not unusual for an attacker to change tactics, adapt its operations to new vulnerabilities, then update its protective manoeuvres as vulnerabilities are identified. Elaborate techniques may come and go during a cyberattack, as companies attempt to anticipate and react to emerging threats.
As a result, current teaching materials may not be up-to-date, resulting in many workers not having the skills to effectively defend themselves and their organisations. This skill gap may operate as a barrier to entry into the cybersecurity field for those looking to enter the field without extensive training. Training alone isn’t enough to protect employees and avoid attacks. Organisations must provide tools for assessing and responding to data breaches, as well as for tracking efforts to mitigate future threats, such as following the Digital What, Where, and How (DWH) model to identify, prevent, mitigate, and respond to data breaches.
But how is it that one organisation’s efforts to respond to a breach may be inconsistent with another’s? Following a breach disclosure, DWH model teams look at the impact of the breach across multiple impacted systems and work to determine what actions need to be taken. They also work to identify all data that was compromised and quickly put it in play to mitigate the impact on the organisation. DWH models can dictate multiple remediation actions, such as retraining affected employees.
Each incident is unique to the organisation, both in terms of the form of attack and the resulting damage. A DWH model may not be able to fully assess an incident if it isn’t aware of all the data that was stolen or exposed, if there are multiple breaches, if the attack leveraged a previously unknown vulnerability, or if the organisation has multiple points of failure. Sometimes all that’s needed is a change or assessment in leadership, purchasing practices, or IT planning. Other times the impact is non-catastrophic, but may still require additional recognition and response efforts.
The organisation must consider business interruption as well as operations aimed at preventing further damage, or possible modifications to processes to adapt to the unexpected. By the same token, if an employee’s personal computer had been infected with malware, then protocols are different.
Indeed, it’s no easy task.
Hiring is more of a perfect storm than most businesses realise. About twenty percent of IT hires are actually sub-contracted, leaving a huge skills gap and reducing efficiencies within many organisations. Competency is a critical but often overlooked factor. Cybersecurity discussions often centre on what people should know and how to do, but the decision to hire a particular person usually comes down to Euro cost vs. benefit. For a company trying to stay afloat during uncertain times, costs may outweigh talent considerations.
Too many go “now or never” on hiring recognised and expert professionals. That’s deadly, and it may ultimately prevent companies from growing. Today, evolving laws and regulations are continually forcing organisations to up their cybersecurity posture, and therefore their need for skilled IT employees.
A survey by Gartner in 2019 revealed that most IT leaders in the US and EU are too scared to do the right job because of lack of skills. Some 74% of respondents indicated that skills are the number one priority when hiring for their organisation. Skills are often thought of as an overrated commodity, but most organisations take them seriously.
A study conducted in 2019 by Oracle Research Corporation found that “Certifications matter less to recruiting managers than you think.” In other words, most IT leaders are happy to overlook non-technical credentials such as certifications, when they’re combined with other dots and skills. That perhaps goes to show how desperate the skills gap has become. In fact, 70% of respondents in a recent Gartner study believe that certifications are desirable for candidates who want to break into IT, and 69% of respondents indicate that certifications are important for risk management.
In just eighteen months, the stakes have increased significantly, as evidenced by the increased focus on digital data and operations in the pandemic. And yet, the challenges of securing our networks and data has not received the attention it deserves. Simply put, despite the obvious need for greater awareness of the cyberthreat through education and training of employees and contractors, there is a skills shortage among IT professionals. In fact, only about a third of companies with 2,000 employees reported being skilled in cybersecurity. Why is that the case? And more importantly, what can be done to fix the skills gap and make cyber security more accessible?
The lack of skilled cybersecurity professionals is because it takes a lot of time to develop the skillset to do the job. Abnormal work, long hours, and high-stress environments are absolutely hallmarks of the IT world today. Many companies see these as negative attributes, when in fact, technical skills are only one piece of the post-digital puzzle. Ensuring the right people have the right training can ensure that the organisation and its employees have what it takes to stand up to any challenge that comes their way.
There is certainly no shortage of challenges to overcome with securing IT systems. While increases in cybersecurity funding are positive, it is still insufficient to produce large numbers of highly skilled cybersecurity professionals quickly.
For the channel, you need to sell your services and offerings. In this instance, certification takes on a new level of importance. Your customers won’t take risks with people who are not qualified for the job. They need to feel reassured the person in their systems knows what they are doing. Equally, if it goes wrong through a rookie move, it might not just be your brand reputation that’s on the line. What we see, is that it’s easier for the channel to recruit, simply because the role they’re offering is much more varied and interesting. Plus, going back to the last point, they value investing in certification and training.
When you are looking for a training provider, it is important you choose one that offers vendor approved courses. That way you know you are getting a quality course that is likely to lead to a recognised certification. Moreover, many of them today will offer students different ways of consuming course content depending on the students preferred learning style. At Tech Data, we have a dedicated team called Academy who help students select, book and consume the right courses.
As the popular saying goes from Derek Bok, “If you think education is expensive, try ignorance.” George Lucas, the filmmaker, called education ‘the single most important job of the human race’.
