Just like financial officers, security information officers and professionals are at the front lines of protecting companies, information and data, and even lives in some cases.
For example, the attack on Waikato District Health Board has highlighted the importance of cybersecurity staff in preventing future attacks—the loss of personal information led in this instance to denial of access to life-saving treatment.
Cybersecurity should be everybody's concern. Whether you are a cybersecurity professional or not, cybersecurity risks are ever-present in day to day activities professional and personal. Even if you think that cybersecurity is not something you should be worried about, that is not true. Attacks are happening all around, even in government and public facilities such as water plants, hospitals, and more. These attacks can eventually lead back and hurt the citizens from getting access to basic needs.
Privacy, security, and information professionals have specialized skills. It is not only about technical skills like how to use data analytics or coding, there are ethics and legal frameworks too that must be implemented. Investing in staff and cybersecurity resources has its benefits. Hands-on training and testing is critical to test employees ability to recognize malicious attachments and links for example.
Conversations around the digital skills and cybersecurity gap is one that is becoming increasingly prominent across the world. Many of the nations often considered amongst the world’s most advanced, including Canada, US, Japan and others, are struggling to adapt to a world where new technologies play an increasingly important role across the economy and society.
1. Cybersecurity is the key concern
As a great deal of our professional and personal lives revolve around digital content and platforms, protecting our information and data is a key concern. Since the industry is constantly evolving in response to the shifting behaviors of cybercriminals and the new attacks they develop, cybersecurity is hard to predict but must be kept up with.
Estimates put the worth of last year’s global cybersecurity market at around $42 billion alone. Despite the increase in spending, a shortage of cybersecurity talent still persists.
2. Improving the appeal
Cybersecurity should be presented as a viable career and the way it is taught should be revamped. Educators must cast a critical eye over their content and their methods. Traditionally, especially in university, teaching focuses on theory and understanding motives behind attacks, potential losses, etc. However, the focus should change to actually performing, practicing, and implementing cybersecurity measures.
Science of learning shows that students need to construct knowledge for themselves, and in many cases, effective learning would be better described as a process of pulling information out of students’ minds. Experiential learning provides an opportunity for continuous learning and improvement, giving the student instant feedback and the ability to reflect on what to keep doing.
3. The role of innovation
Students should have access to resources which is how they will learn and play an active part in closing the skills gap.
One of the most innovative resources is cyber range technology. Cyber ranges enable users (can be institutions) to generate a realistic, capable and credible virtual environment which requires trainees to respond to cyber-attack simulations in real-time. Within the simulated network, users learn to cope under high levels of stress, locating and exploiting vulnerabilities on various network systems. This helps them develop the skills to identify, monitor and resist cyber attacks. Cyber ranges can mimic your IT systems, and provide sophisticated training in the form of task-driven Capture-The-Flag (CTFs), live-fire exercises, or a combination of both (threat hunting). They are available in open-source, and can be deployed quickly through the cloud, making roll-out to anywhere in the world a smooth process.
Organizations are taking too long to respond to security threats. 25 per cent of respondents reported that their company takes up to 60 days—or longer—to address low- to medium-risk vulnerabilities, and 1 per cent of companies don’t bother to remediate the attacks at all.
The slow responses to security vulnerabilities can and does create risks for organizations.
42 per cent of respondents said their companies do not have a budget to fully test all of their applications. Without sufficient budgets, companies cannot provide the best resources to employees, workshops, or opportunities for growth and learning. In addition, without budgets, companies won't have enough to put towards new technology to protect their data and assets.
86 per cent of respondents agreed that it is difficult to find and/or hire people with the right skill sets to do pentesting. The cybersecurity skills gap is still present and a struggle worldwide.
Even though 78 per cent of respondents agreed that pentesting is a high-priority item for their security teams, they conduct the tests on 63 per cent of their application portfolios, on average.
Only 3 in 10 of those surveyed reported their company’s security and engineering teams were “intertwined.” Security & engineering teams still have work to do to effectively collaborate on remediation priorities. This means that lower-risk vulnerabilities stay exposed for longer and come up again at a later test.