The novel Coronavirus (COVID-19) pandemic has sent shockwaves across the globe and has not only affected individuals personally, but businesses have experienced changes to the way they operate, as well as a shortage of staff due to workforce cuts. The skills shortage was a prominent issue in the cyber sphere even before the pandemic. Industry experts discuss how CISOs can find cyber talent and work to close the skills gap amid the global situation, to ensure security is not forgotten.
Mohammad Jamal Tabbara, Senior Solutions Architect, Infoblox, said: “IT departments are suffering from a chronic lack of cyberskills. The IT industry is the fastest evolving industry out there with a myriad of various different technologies and solutions. A subject matter expert today could be completely out of the loop the next. It’s not enough to be a technically well-rounded IT professional, but must also understand the business needs and objectives. It is very difficult to find talent that can have all of those qualities. If you do find any, make sure you do everything you can to keep them.
“There are currently limited skills in the market which can be attributed to the actual lack of manpower. A lot of companies have one or two technical resources that are certified on three or four different technologies. This puts a strain on resources and compromises the level of service.
“Engineers are mostly motivated by knowledge and technical development. Hire a lesser number of people but make sure you continuously develop and do everything you can to retain them. You will notice an immediate and positive impact to your business. I think it is important for companies to keep abreast of which emerging technologies are likely to necessitate a future skillset need among their employees and then facilitate training programmes to get their employees the skills they will need down the road. The biggest barrier to training is time constraints as training programmes tend to be quite time-consuming. A lot of these training programmes also seem to be extremely heavy on content which can lead to information overload. Training programmes need to be simplistic and to the point.
“It’s true, there isn’t a lot of talent if one looks on the surface. Don’t just judge a book by its cover – whether it’s a negative or positive judgement for that matter. I often get asked to provide feedback on whether a candidate is ‘good enough’ to hire. If that’s the approach, you should stop hiring and change your approach all together. Would you want a ‘good enough’ boss or a ‘good enough’ engineer implementing the solution you’ve just spent several hundred thousand dollars on? Chances are every one of you will say no to all of the above. Qualities such as teamwork, integrity and emotional intelligence are absolutely key when making a hire and they shouldn’t be binary. But the one area I believe employers should pay very close attention to is the appetite of that individual to learn and to be coached. Finally, when you get someone good, hire them, take time to understand them and invest in them.
“Some organisations are mitigating talent shortage by casting the net wider and recruiting talent from markets outside the region. In addition to casting the net wider, there are a number of highly experienced agencies that specialise in IT recruitment that we would advise CIOs get in touch with.
“We believe that the best talent wants to work for the best companies. While offering an attractive compensation package is important, it is equally important to have a really strong culture – one in which employees are more than just a number and where there is a strong emphasis on having ‘fun’.”
Matt Lock, Technical Director UK, Varonis, said: “Reports say there will be over 3 million unfilled security positions by next year. It’s going to be an ongoing issue, but COVID will squeeze many companies and add to the challenge. According to Cybersecurity Ventures, a total of 3.5 million cybersecurity jobs will be available but unfilled by 2021.
“Executives and boards looking to reduce their expenses should think carefully before cutting security staff or eliminating open positions. Companies should also widen their approach to recruiting by considering candidates who have not attended university – cybersecurity is a dynamic field and those hiring should prioritise experience and certifications.
“Many business leaders do not understand that their IT and security staff is underutilised. If IT is spending their time resetting passwords and assigning access to group resources, and if security staff is buried in alerts, it’s only a matter of time before a compromise occurs. Organisations should reduce the burden on IT by helping end-users help themselves with self-service tools, and they should help security staff by ensuring their defences are tightly integrated to help staff quickly identify and elevate only the most likely security violations.
“Automation and Machine Learning are picking up the slack by helping companies bridge the human talent gap and defend critical assets. If you’re still relying on staffers to watch monitors 24/7, you’re already behind. Not only is it ineffective and a waste of your qualified staff, it does not guarantee that you will spot and stop an attack before damage is done. Attackers are opportunists and sophisticated ones will take their time and launch an attack when it’s least expected. If a ransomware attack hits your network on a bank holiday or a Friday evening, technology will be your first line of defence.”
Asma Zubair, Senior Manager of IAST Product Management at Synopsys, said: “The pandemic has brought about an uncertain business outlook for many organisations. IT infrastructures are overloaded, the organisational attack surface has grown exponentially with employees working remotely around the globe and cyberattacks are on the rise.
“The situation is further exacerbated by widespread budget cuts that many organisations are experiencing to compensate for disrupted supply chains, less-than-ideal Business Continuity efforts, tightening profit margins, and a myriad of other factors. Pair all of this with the perpetual cyberskills gap our industry is continuously working to resolve and we have a perfect storm on our hands.
“The cyberskills shortage is not a new problem. Automation, cross-training of employees in cybersecurity and willingness to hire promising candidates who will require on-the-job cybersecurity training have been some of the tried and tested methods that successful organisations pursue to work around the cyberskills shortage. Under current circumstances, business leaders can take a few additional steps to mitigate unique and hopefully temporary challenges that the ongoing pandemic presents.
“Ensure IT infrastructure consistently meets reliability, availability, serviceability and security requirements to facilitate remote work. Revisit and enforce security policies to ensure the security of your employees and customers, and the privacy of data they handle. Protect your data using reputable VPNs, deploy mobile management solutions for data security on mobile devices, test and patch applications regularly and enable MFA with SSO for the authentication and authorisation of users.
“To get the most out of your budget, consider consolidating vendors to negotiate better discounts. Consolidation also brings greater efficiency by reducing the user learning curve (one tool vs. multiple tools) and increasing productivity with platform-centric solutions.
“Until you have budget to hire full-time employees, also consider using managed services to support your security needs. Additionally, pay attention to running costs and stay away from security tools that may become a drain on user productivity.
“COVID-19 has made remote work a more widely acceptable practice, one that may in fact allow organisations to hire remote employees who may be better suited (in terms of skills and compensation) than the local talent pool. The onset of a remote workforce may also compel organisations to elevate their security measures and help improve their overall security posture. Where challenges are presented, there are also opportunities to learn, grow and evolve.”
Alain Penel, Regional Vice President – Middle East, Fortinet, said: “In the cyber arms race, the criminal community has often had a distinct advantage due to their ability to take advantage of the cyberskills gap, the expanding digital attack surface and especially by leveraging the element of surprise with tactics such as social engineering to take advantage of unsuspecting individuals.
“The need for skilled cybersecurity professionals is more crucial than ever, with global shortages in talent affecting 82% of organisations. Further, 71% of those organisations believe this talent gap has caused direct and measurable damage to their organisations.
“Many organisations are choosing to bridge their skills gap with high-tech solutions that employ automation. While this is an important and effective strategy, it is still not enough. Business leaders must go beyond adding essential solutions to their toolkits by also looking to their current resources, including their teams, to fully address this issue.
“Filling this gap requires support from every sector – public and private – by supporting things like education, cross-training and mentoring, both for cybersecurity professionals and every day users. Cybersecurity vendors have a critical role to play too, that goes well beyond simply providing training on their own products and solutions.
“Cybersecurity vendors have a successful track record of providing training for the users of their security solutions. However, if they truly want to become trusted advisers for their customers, they need to adopt a training and education strategy with a much wider focus than their own products and solutions.
“The crisis of the current – and growing – cybersecurity skills gap cannot be overstated. Our society relies more than ever on the availability of a global digital infrastructure and the reality is this is a looming existential threat to the ongoing viability of our digital economy. Cybersecurity vendors are uniquely positioned to help by extending their ability to train and educate customers and partners to a global audience at all levels of experience.”