The cyberskills shortage is well reported and, as cyberattacks continue, it is more important than ever that businesses take steps to future-proof their workforce. Bridget Kenyon, Global CISO at Thales eSecurity, tells us that it is time for organisations to truly embrace the diversity debate to help bridge the skills gap.
Over the last three years, cyberattacks across the world have risen by 63%. Attackers have developed and optimised an arsenal of highly effective approaches, including phishing attacks, watering hole attacks and USB seeding (just to name a few) and as cybercriminals are becoming more advanced, our cyberskills shortage is worsening.
It is more relevant than ever for us to look to under-represented demographics to help fill the gap of cybersecurity specialists today. The pool of ‘usual suspects’ is pretty empty. The greater the variety of people, and the greater the variety of experiences they bring with them, the more resilient they can make our organisational defences.
Understanding the cybersecurity skills gap
The cybersecurity skills gap is a pertinent issue, affecting businesses of all sizes. In 2018, small businesses in the UK were disproportionately impacted by cyberattacks, resulting in losses worth £17 billion. New research has also outlined that the UK alone could lose £1 billion this year in Distributed Denial of Service (DDoS) attacks, a type of cyberattack that aims to crash a website by flooding it with traffic.
Worryingly, a third of small businesses have no cybersecurity strategy in place according to YouGov and some security practitioners even believe they should have the right to ‘hack back’ when attacked by cybercriminals. We are in the midst of many unofficial guerrilla cyberconflicts which only seem to be escalating and this is impacting the threat and compliance landscape.
How to potentially bridge the gap
Whether it is a malware attack, a DDoS attack or some excitingly innovative approach we have yet to encounter, employees can either play a pivotal role in protecting organisations or significantly increase the risk we face when it comes to information protection.
To better prepare staff, organisations should already be ensuring employees at all levels in the organisation are informed, actively engaged and trained to make appropriate decisions. This is not a new challenge, but continues to post a threat for most businesses: our latest Data Threat Report showed that almost half of IT experts still cite executives and employees as a point of vulnerability. This will help them to be in a better position to repel the next attack when it takes place – be assured that this is ‘when’, not ‘if’.
However, simply training staff isn’t going to change things. Organisations must work harder to create a more diverse workforce. And there will be opportunities. For example, when an organisation invests in technical tools to provide more intelligence around threats, or higher levels of protection, additional staffing resources may be needed to configure systems, manage and analyse and respond to findings.
Equally, when an organisation implements training and awareness initiatives to arm their staff, new staff may also be required to design and manage awareness work ongoing. A diverse intake of staff at this point will allow the new tools, or initiatives, to be designed, implemented, measured and managed in new and unexpected ways.
To widen the hiring pool, organisations can also usefully consider candidates with skills that are less obviously relevant to information security, such as marketing, sales, communications and logistics. They can also create a talent pipeline for the future through apprenticeship schemes or internship programs.
Culture and the sacrificial CISO
As organisations work to improve their ability to manage information risk, the importance of having a Chief Information Security Officer (CISO) is also being recognised very broadly. However, the person in this role needs to be a part of regular discussions at a boardroom level to engage effectively with senior staff and hence encourage them to sponsor organisational change.
It is also important to recognise the impact of different security cultures. The role of the CISO, for example, varies hugely depending on the organisation and industry, with some CISOs having board membership, budget control and large teams, and others reporting many levels below the CEO, and having to apply for resources from other teams. This obviously influences the range of cybersecurity roles available in the organisation but potentially also affects the ability of the CISO to achieve their assigned objectives.
Worryingly, a CISO role is sometimes designed as a scapegoat role, held in readiness against a likely future breach as an alternative to actually improving risk management. Will prejudiced hiring approaches lead to more minorities and women being picked to fill this ‘sacrificial CISO’ role? On this note, organisations will always look to the board to set an example; what proportion of top management are female or ethnically diverse?
The current status of the diversity debate and the underlying trends
What we see currently in the diversity debate are questions around whether people are being treated equally. The fact that such questions are being asked implies that we still have a problem; but the ability to ask these questions also enables us to recognise, call out and redress unfair treatment.
Women are still tragically under-represented in both information technology and information security, so there is a critical need to encourage a more inclusive approach towards hiring and towards treatment of women once they are in post. Each individual is unique and has competencies which should be valued and managed. When we can transcend biases, it will ultimately benefit and strengthen our industry.
With staggering financial losses due to cyberattacks costing organisations in the multi-billions of pounds, the industry is crying out for more skills in this complex field. As professionals in the industry, we need to work together to encourage cybersecurity as a possible career choice for all of the population, not just the part with a male gender identity.
When I think about inequality, I contemplate questions such as why there are so few women in the cybersecurity industry, why are women paid less than men, or why are there more women in low-skilled jobs? The answer is that there is prejudice in this world. This prejudice has created an inaccurate belief that your expressed gender should dictate your career choices and future.
In an industry with a disproportionately high male representation, I can see its shadow on so many organisations – and the sadly inaccurate assumption that having a women or a person from an ethnic minority solves an organisations diversity issue. A person’s ethnicity, sexuality, gender, gender identity or background should never be more important than their skills or experience. Each individual is unique and has competencies – and weaknesses – which should be valued and managed.
With organisations now forced to publicly display the disparity between male and female salaries – and with a move to do the same for different ethnic backgrounds – we will continue to see companies’ diversity problems becoming embarrassingly visible. It is time for organisations to truly embrace the diversity debate to help bridge the cybersecurity skills gap.
The first step in fixing a problem is recognising that it exists; and the second is being determined to correct it.