This year I am delighted that we have launched our cybersecurity practice to help our clients address one of their most critical issues, that of assessing and sourcing cybersecurity talent.

Much has been written about the growing shortage of cybersecurity skills and here I share just what the scale of this shortage is and its impact on business.

The most recent report is from CapGemini.  Last month, their report, Cybersecurity Talent: The Big Gap in Cyber Protection, showed that corporate demand for cybersecurity skills is rising faster than internal supply.

They surveyed more than 1,200 senior executives and front-line employees and also included social media sentiment of more than 8,000 cybersecurity employees. 68% of organizations reported high demand for cybersecurity skills – compared to 61% demanding innovation skills and 64% needing analytics skills.

They then measured this against the availability of existing, proficient skills in the organization – and identified a 25% gap for cybersecurity skills. Their report said there was already 43% availability of proficient skills.

They predict that demand for cybersecurity talent will grow over the next 2-3 years; 72% of respondents predicted high demand for cybersecurity in 2020, compared to 68% today.

Capgemini chart

The industry magazine, Information Management, reported on two studies at the end of last year which they said gave “an alarming view of the state of data security” with organizations complaining of woeful lack of cybersecurity professionals.

The CyberSeek report from CompTIA, which tracks supply and demand in the cybersecurity space, says cybersecurity jobs must double in order to meet current demand. While the 2017 RedSeal Resilience Report says a majority of organizations lack the tools and resources they need to protect their data assets.

According to the RedSeal report, the data threat landscape is evolving much faster than security teams can respond. Nearly 80% of respondents said “they could not access insights that help to prioritize their response to a data security incident”, while 55% said they could not react quickly enough in the event of a major security incident.

Only 20% of organizations said they are extremely confident that they could run as usual after discovering a cyberattack or data breach.

It is concerning that most organizations (55%) say they don’t test their data security strategies enough because they are too resource intensive, take too much time or outside budget. It could be argued that this is because there is not enough budget commitment to this area – but the report suggests it is more down to lack of skilled people.


According to Cisco, in its 2017 Annual Cybersecurity Report, the main barriers to adopting advanced security products and solutions are budget (35% of respondents), product compatibility (28%), certification (25%) and talent (25%).

Cisco obstacles to security

cisco data 3

So what should organizations be doing?  My colleague, Raef Meeuwisse looked at this in his blog Is there really a cybersecurity skills shortage?

The CapGemini report offers the following to address the problem

  • Integrate security across the organization
  • Maximise existing skillsets – many employees are already investing to update their own skills, are they being used?
  • Think outside the box in recruitment, “for example, people on the autism spectrum are fantastic at pattern spotting and are often blessed with numerical and problem-solving skills, attention to detail and a methodical approach to work – all useful traits for cybersecurity best practice”

I would agree about thinking outside the box in recruitment and that is what we are focusing on in our practice.

However, what is interesting is that these reports cover the shortage in current cybersecurity skills, as we know them.

But I increasingly believe we need a new model of cybersecurity skills at leadership level – people who have strong technical skills but can also influence behaviours. Cybersecurity is not just about technology – it is about getting employees across the board to implement best behaviour.  Not pin their password on their computer screen, use their dog’s name for their password or fail to update as requested by IT. 

The new breed of professionals need to be great communicators and persuaders as well as having strong tech skills.

Could this open up new areas to find the cybersecurity skills we need – or will it make the skills shortage even worse?

Published in Cyber security

It used to be said that the only certainties in life were death and taxes. To this grim list a third is now added: you will be victim to a cyberattack. No company, no organization, no individual is immune.

The quickest way for a CEO to lose his or her job is to be ill prepared for an attack. How well a CEO prepares and how well their team deals with a cyberattack will all determine whether the CEO gets to keep their job when the bank is attacked.

One of the clearest signs that a bank is taking cybersecurity seriously is that the Chief Information Security Officer (CISO) or equivalent reports direct to the chief executive.

Yet research shows that of the top 40 banks in the Middle East incredibly more than two thirds do not have a CISO as a direct report… Banks are just not taking cybersecurity seriously.  It must start with the top, the CEOs and the boards of banks.



If you doubt this, think of the big attacks that we all know about: Saudi Aramco, the NSA, Sony, the British health service (NHS), Target, Yahoo, Uber, ABN Amro, JP Morgan.  And then guess at the ones that we don’t know about…

Consider for a moment the world we live in today. On the one hand we are in the middle of a Cold War that by some estimates is worse than the 1960s and 1970s – today nation states regularly make cyberattacks on non-military targets, harming commercial organizations and utility companies alike.  On the other hand, we are in a world drowning in technology that opens up a myriad of vectors for us to be targeted by cyber criminals. Be under no illusion, cyber crime pays – it is a low risk, high reward activity. And at present rates it will grow in to a two trillion dollar industry globally by next year.

The only thing you can do is to reduce the chances of a successful attack, reduce the potential impact and ensure that you have an effective recovery plan.

The other sign that banks are not taking cybersecurity seriously is by looking at the profile of the CISO or senior security expert. All too often the CISO has been promoted up through the IT function. So cybersecurity is seen as a purely technical problem rather than as a major business issue and of strategic importance.

Cybersecurity is far from just being an IT issue. It is a complex multi discipline issue. Yes, of course there is an important technical side, but it also requires thought about how an organization does business, who it does business with.  It encompasses legal issues, PR issues, HR issues. And most importantly, the CISO has to have a strong voice and the business skills to be able to communicate effectively the risk for the business/shareholder values to the CEO and the Board, as well as the required budget allocations and business changes to mitigate those risks.

How many of today’s CISOs in the Middle East have the skills to do that or more importantly, how many are empowered to do that and drive forward a multi discipline approach to cybersecurity?

What do banks in the Middle East need to be doing differently?

Cybersecurity has to be a board and CEO issue. The CEO has to be driving the cybersecurity agenda by sufficient allocation of budget to cybersecurity, elevating the status of the CISO, investing in skills development of the CISO and his/her team, ensuring that the whole bank has been trained in cybersecurity awareness, and be obsessed with protecting the bank’s assets.

If the CEO does this, then when the attack comes it can be dealt with quickly and any impact eradicated and the bank can return to business as normal. The CEO who has shown due care to shareholders and leadership in driving the cybersecurity agenda of the bank will get to keep their job.

Published in Cyber security

Read more

To read more of Metin Mitchell’s insights on leadership, leave your email here:


Elsewhere online

Popular Posts

Recent Posts