The burgeoning skills gap is a heavily discussed topic among cybersecurity professionals as they attempt to find a solution to this ongoing problem. Toni El Inati, RVP Sales, META & CEE, Barracuda Networks, says it isn’t just training, but rather constant, career-long commitment to upskilling and adapting that will prove to be the hallmark of a top cybersecurity professional.
With the UAE leading the region in terms of digital maturity, it’s no surprise that cybersecurity failure has now ranked as the greatest risk to the country, according to the World Economic Forum’s The Global Risks Report 2022. For businesses in the country, this challenge is exacerbated by an ever-widening cybersecurity skills gap.
Organisations have been forced to respond by placing new recruits on the proverbial frontlines of the battle against cyberthreats, many of whom aren’t yet up to the task. A global survey of cybersecurity professionals working in enterprise IT organisations conducted by Cyberbit, a provider of a platform for training cybersecurity professionals, found that 41% use on-the-job training to train new team members. That compares to just over a quarter that provide access to security courses, and 22% that make use of simulation-based training tools such as cyber labs, cyber ranges, or red vs. blue training. Not surprisingly, only 45% of respondents said they felt their team was adequately skilled in intrusion detection, while even less (42%) said they adequately understood network monitoring.
In times of urgency and crisis, it’s understandable that businesses won’t have the luxury of upskilling new personnel to the point where they’re hardened veterans. But just as the realisation that cybersecurity threats are only set to worsen dawns, so too must the realisation that the ‘quick fix solution’ of placing insufficiently trained staff in demanding roles and then offering them the opportunity to upskill – a recipe for disaster in the long run.
Poorly trained workers are much more likely to suffer from poor morale. Each security incident that goes undetected for months results in an emotional toll. One of the reasons cybersecurity turnover rates are so high is that many cybersecurity professionals become disheartened. Without the opportunity to ramp up their abilities, these new recruits will constantly find themselves on the backfoot and often in the uncomfortable position of having to answer to management for lapses in their organisation’s security posture.
The trouble with training
While it would appear that cybersecurity training for industry professionals offers a simple and effective solution, this doesn’t account for the complete picture. Just as it is often stated that no solution offers the ‘silver bullet’ to addressing all cyberthreats, training cannot guarantee future success. Cybersecurity threats are evolving faster than training programmes can keep pace with. No matter how talented any cybersecurity professional may be, there will always be days when the bad guys have developed some new technique that has never been seen before.
More challenging still, the need for many of the skills that new recruits are being taught today are likely to become unnecessary in the months ahead as cybersecurity becomes more automated. Advances in, for example, Artificial Intelligence (AI) will not replace the need for cybersecurity professionals anytime soon. However, the bar in terms of the knowledge that will be required will soon be higher as more low-level tasks that allowed entry-level cybersecurity professionals to be trained on the job are simply no longer required. Entry-level cybersecurity tasks such as log monitoring, maintaining backups and managing updates are all becoming increasingly automated.
So, it isn’t just training, but rather constant, career-long commitment to upskilling and adapting that will prove to be the hallmark of a top cybersecurity professional. Unfortunately, many human resources professionals are out of touch with this reality. Instead of hiring candidates who are willing to be trained, they post entry-level positions that, for example, require certifications that take years to acquire.
Only a third (33%) of the respondents to the aforementioned Cyberbit survey reported that human resources recruiters for their company usually or always understand the requirements for working on a cybersecurity team. Additionally, 70% of respondents said that cybersecurity candidates are being assessed in the same way as other workers — through interviews — rather than using tools to assess their practical skills.
Reassessing hiring
These challenges can only be addressed by a radical revaluation of hiring policies. In the fast-paced world of cybersecurity, hard-earned skills and certifications that were months or years in the making can be rendered obsolete in far shorter timeframes. New technologies will constantly erode the value of low-level skills, while new threats will promote the need for constant learning.
In such a stressful work environment, only the most ardent and determined of recruits will have the unshakable will to ‘stay the course’ and constantly seize upskilling opportunities in their quest to becoming invaluable industry veterans.
The most important thing to HR teams to evaluate therefore when it comes to hiring cybersecurity professionals is now going to be attitude. After all, skills can only be acquired by the willing and able. The most important thing is to determine as early as possible who has the fortitude to do the job not only as it is known today, but the willingness to adapt to how it will inevitably evolve tomorrow.