Working through the cybersecurity skills gap

Get a copy of the upcoming book "Secure Operations Technology"

It’s no secret that there’s a shortage of qualified personnel in the field of cybersecurity. It’s a problem that has long been noticed and one that is projected to get even worse—to the tune of 1.8 million by 2022, according to (ISC)².

Despite this massive skills gap on the horizon, the number of breaches appears to be declining. Appearances, however, can be deceiving. As criminals shift their tactics toward new types of threats, such as ransomware, they’re finding ways to do more than merely steal data. Ransomware attacks allow criminals to lock or delete data altogether, which ends up costing organizations more than a traditional data breach—despite it not being quantified by ‘records breached.’

With an expanding pool of threats to deal with and a shrinking pool of qualified people to address them, how do we tackle this serious problem? The obvious answer is recruiting more qualified people to do the job. But simply increasing our ranks isn’t going to fully resolve the problem. Security professionals need to implement a multi-pronged approach to deal with the different aspects of the ‘threats’ challenge at hand. Here are four major ways we can start better dealing with security threats today:

1. Security by design

All too often, security is an afterthought in design. Unless the product is being specifically designed for security purposes, security features are often tacked on toward the end rather than considered as a key element to the design process. Take the automotive industry, for example. The automobile was designed with the intent of offering people an option for travel that didn’t involve feeding and picking up after horses. Many early cars didn’t even have locks, as they were owned by the very wealthy who had drivers who would stay with the vehicle. Even now, connected cars are vulnerable to having their computer systems hacked into due to all of the IoT components going into them.

According to Gartner research director Ruggero Contu, when looking at IoT devices “a consistent security strategy is all but absent.” If we hope to collectively tackle the cybersecurity problem as more IoT devices coming into play, we must make security an integral part of the design process.

2. Drilling down into security in STEM

The deficit of cybersecurity professionals is something we need to start planning for now. In 2001, Dr. Judith Ramaley, assistant director of education and human resources directorate at the National Science Foundation, coined the term STEM to describe the educational emphasis that should be placed on driving Science, Technology, Engineering and Mathematics in schools. The term STEM is now commonly used in many countries with the goal of encouraging kids to take an interest in these fields in hopes of building a greater pool of trained professionals for the future.

While security falls under the STEM bucket, are we doing enough to drive interest at a young age? In the very least, leaders in the security industry must start working more closely with STEM program developers around the world to highlight the severity of the situation and work to close the cyber security gap for future generations. It’s not a problem that happened overnight—and it will take time to fix—but we need to start now.

3. Security awareness in company culture

No software installed on the back end can do its job 100 percent of the time if people aren’t being cautious on the front end. To start, end-users should be looked to as front line troops in the fight against cyber threats. We need to ensure they understand what an important role they play in preventing cyber attacks.

To be successful, organizations should view cybersecurity ‘preparedness’ as being about more than just work. By offering to help employees and their families build out security practices in their homes, it will naturally create an organization of security awareness. A few years ago, I worked with an organization in the transportation industry that went as far as to purchase security software for all their employees’ household devices as a thank you for completing the annual online security course. This not only increased participation in future surveys, but it also created a more secure work environment—with home devices becoming less likely to transfer malware to the office devices and vice versa. Furthermore, it increased everyone’s security awareness across the company.

4. Implement IAM

Another key element organizations can look at is identity access management (IAM). If they are employing IAM solutions, they can limit their risk pool by ensuring that only the right employees have access to the right data at the right times. This means if one of their “front line troops” falls victim to an attack of some sort, they would only have limited access to corporate data that could then be locked down quickly leveraging the IAM solution to sever access entitlements.

It’s evident the cybersecurity threat landscape is evolving, but we aren’t at a complete loss. There are still a few tools left in the proverbial toolbox ready to tackle this challenge. As an industry, if we can look at the situation holistically, we will be able to outsmart the cyber-criminals of today and pace ourselves to get ahead of potential criminal acts of tomorrow.