SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Addressing the cybersecurity skills gap
Fri, 8th Nov 2019
FYI, this story is more than a year old

Several high-profile breaches and data leaks such as the recent PayID attack (which impacted almost 100,000 customers of NAB, CommBank, Bankwest, Westpac and ANZ), have highlighted just how vulnerable critical systems are to disruption and damage, with cyber-attacks increasing in prevalence and disruptive potential.

The likelihood of massive data fraud and theft is now the third-largest risk facing the global economy, according to the World Economic Forum's Global Risks Report 2019, closely followed by cyber-attacks.

“In fact, a major cyber-attack could be just as deadly as nuclear weapons,” says North Dakota State University Computer Science assistant professor Jeremy Straub.

Along with the serious reputational damage and harm a cyber-attack inflicts, the commercial impact is also rising, with the cost to Australian businesses increasing by more than 14% over the past year, research conducted by the Ponemon Institute has shown.

The average cost of a data breach to an Australian business soared to more than $3 million in 2018-2019.

The people and skills shortage challenge

To thrive and survive in today's increasingly connected world, organisations in the private and public sector are in hot pursuit of digital transformation to accelerate innovation.

But this drive is also increasing their potential vulnerability to the threat of cyber-attack.

With cybersecurity professionals in short supply, many are under enormous pressure to meet the challenges of the modern cybersecurity environment.

Cybersecurity is consistently rated as one of the most problematic skills shortage areas in the enterprise.

In 2018-2019, 53% of companies surveyed by the ESG (Enterprise Strategy Group) said this issue was impacting their business.

Understaffed firms are already fighting for top talent.

Under significant resource pressure and battling relentless workloads, the risk of losing these vital personnel due to burnout and stress is increasing.

Organisations need to apply some holistic thinking to address the impact of digital transformation on cybersecurity.

Widening the search for cybersecurity personnel

As the cyber skills gap widens, enhancing the workforce is no easy task.

Recruiting new cyber talent is not the answer.

To address the skills gap, organisations need to extend their talent pools in other ways.

For example, one key finding of the (ISC)2 survey was that 43% of those said their organisation provides inadequate security training resources.

Implementing a clear career progression path for those taking on cybersecurity duties will help incentivise existing IT personnel to join the cybersecurity ranks.

Bolstering the cybersecurity workforce means businesses also need to broaden the range of potential candidates and focus their recruitment efforts on those from non-technical backgrounds.

This means considering people with the potential to work in a collaborative and smart way to solve problems.

For example, ex-military veterans are problem solvers, ask the right questions, and perform well in strategic management roles, including the management and motivation of staff.

Similarly, firms need to empower women to join the cybersecurity workforce.

Women represent just 20% of the global cybersecurity workforce in 2019, despite the sector experiencing growth and a huge demand for new recruits.

Women represent a vast untapped resource and organisations need to address the discrimination barriers that are disincentivising women from working in this field.

Train widely

Alongside improving recruitment engagement and outreach, organisations will need to train and prepare employees for cybersecurity transformation.

This includes introducing a broader base of professionals to educational opportunities previously reserved for cybersecurity analysts and other roles.

Organisations not investing in training and development programs for individuals from a non-technical background are taking a short-sighted approach – one that exposes the enterprise to greater risk as the threat landscape continues to evolve over the coming years.

Make cybersecurity everyone's responsibility

A key aspect of taking a more holistic approach to cyber training is increasing cyber awareness for all employees.

According to the Online Trust Alliance, 93% of all breaches in 2017 could have been prevented by basic cyber hygiene.

Initiating regular short training sessions for the entire workforce, exploring topics such as phishing – so that employees are primed to recognise a threat and know who to alert – is a must-do activity.

Training input needs to be relevant and reinforced regularly.

Everyone must understand the latest threat trends and their responsibilities in relation to keeping company and customer data safe.

In the face of a persistent shortage of cybersecurity skills, companies must rethink people and resources to maximise their resilience to attack.

From broadening their view of the workforce to developing new, previously untapped, candidate pools and extending cybersecurity awareness and training to the wider workforce, taking a more holistic approach can help organisations adapt and ensure the new digital workplace stays protected.