Spotlight on leadership in changing times

Metin Mitchell - Managing Partner

chief executive


Cybersecurity skills shortage – we are trying to solve the wrong problem
Tuesday, 19 June 2018 06:00

Cybersecurity skills shortage – we are trying to solve the wrong problem

Written by Metin Mitchell

There is a global shortage of cybersecurity skills, yet cybersecurity is the fastest growing and most pressing business issue for most corporates.

In all the solutions offered to solve this problem, I don’t believe they are going to help corporates within the timeframes needed – and actually I don’t think they willl solve the fundamental problem.

First, what are the problems?  I then want to look at how various organisations are tackling these – which I don’t think will shift current trends for years. And then I will outline my own thoughts on how organisations can tackle this problem now – there are ways, particularly in banking.

Cybersecurity skills problem is getting worse

CSO Online does an annual survey into cybersecurity skills.  In the 2018 cybersecurity skills survey, not only do cybersecurity skills continue to be the largest problematic skills shortage, but the problem is getting worse, year on year.  In 2013, 23% of the global respondents said their organisation had a problematic shortage of cybersecurity skills – by 2018 this was more than half of all organisations, at 51%.

The impact of cybersecurity skills shortage is increasing

It is probably obvious, but still needs saying.  Because organisations cannot recruit the skills they need, pressure on existing staff is increasing and critical tasks are being pushed down to people who haven’t got the experience needed.

A research report out in December 2017, The Life and Times of Cybersecurity Professionals, by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) gives insights to the problem.

63% of respondents said cybersecurity skills shortage has increased the workload for existing staff, 41% have had to hire junior personnel instead of more experienced professionals, and 41% said cybersecurity professionals spend a disproportional amount of time on incident response and not enough time on planning and strategy. Not surprisingly, cybersecurity professionals do not have time to continuously learn in their job despite agreeing that it’s essential in order to prevent cyber attacks.

This means that many cyber security professionals are a step behind the hackers and fighting fires rather than proactively strategising how to mitigate future attacks.

How is the cybersecurity skills shortage being addressed?

Do a search on this subject and there is no doubt people across the world are scratching their heads and trying wide-ranging activities.  But they will not address this problem for years

How can we fill the cybersecurity skills shortage now?

Cybersecurity is a people problem, not a tech problem. In an earlier blog on The growing shortage of cybersecurity talent, I argued that we need to think outside the box and need a new model of cybersecurity skills at leadership level.

What are the real issues of cybersecurity?  Why is it a people problem?

This blog on the 9 common security vulnerabilities hackers exploit lists them as: mobile phones with ‘admin’ as their password, out-of-date patching, and weak email credentials and phishing.  These aren’t IT issues – they are poor employee practices.

So now to the solution.  And I focus here on the banking industry, where I have particular experience but the principles apply to every sector.

We need to recruit senior bankers who are comfortable with technology, to run cybersecurity.

What is happening at the moment is that some poor IT person tries to explain to the CEO the risks he (or she) is trying to address and the actions and budget they need. The language used is about IT – he can’t translate this into the language of the board to explain the scale of the issue and the investment or action needed.  He doesn’t do it in terms of the legal, commercial and technical aspects – or the risks to the chief executive’s job.

Bankers will look at the bigger picture – those who are used to technology will be able to understand the broad issues and can top up knowledge with specific cybersecurity training. But what they then have is the ability to translate technology into commercial language and risks.  And above all, they then know how to communicate and influence within the business – from board level to operational employees.

And it is this business head plus influencing skills that will make the difference to managing cybersecurity, reducing levels of risk and responding better when issues do arise.

Yes, we still need more people with practical tech and IT skills – but getting senior business people to manage the function is what will make the biggest impact at the fastest speed.