There’s good and bad news. The good news is that there are more cybersecurity professionals than ever before. More than four million people work in a security-related job.
The good news is that there is a global gap of 3.4 million cybersecurity workers. 70% of those surveyed said that their organization’s security team is understaffed.
As cyberattacks grow more sophisticated and threat landscapes expand, organizations need to get more creative in their cybersecurity approach. There is more that can be done to reset the parameters on building skill sets. From the ground up, we need to rethink what internal cybersecurity programs should look like.
Cybersecurity is All About People
Cyber skills shouldn’t be limited to experienced and well-trained professionals. While the security team runs the show, they focus on technology.
Most cyber incidents are the result of human error or lack of knowledge. Sometimes the workplace culture doesn’t encourage employees to come forward when they see something odd. That allows threats to slip under the radar.
Everyone is a part of the solution for security best practices. This is even more important because of our current staffing shortages. The skills gap will be closed by making security an all hands on deck atmosphere.
Certification for Beginners
One of the biggest challenges in closing the talent gap is not a lack of people with the right skills, but rather unobtainable standards for employees just beginning their careers. Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) are certifications that many entry-level positions want their new hires to have. Several years of job experience, expensive and difficult to pass on the first try are some of the requirements for taking the certification exams. Once someone attains certification, they aren’t applying for entry level jobs.
Many people who are just beginning their careers have been kept out by this approach. A new initiative called One Million Certified in Cybersecurity was created to address the certification roadblock in the talent gap. Participants who enroll as an (ISC)2 candidate will receive free training and a free exam opportunity. The professional development opportunities and resources that other certified professionals have will be available to the participant once certified. While the overall objective is to increase the available skilled labor needed in entry-level positions and beyond, it is also an opportunity for more people to explore a cyber career without spending a lot of money. Employers should be confident when bringing in less experienced talent.
When hiring new entrants into the field, employers need confidence that they have a solid grasp of the right technical concepts, and a demonstrated ability to learn on the job.
Rethinking Security Awareness Training
Security awareness training is useless. When it comes to real-world attacks, security training has little to no effect when it comes to training. Annual lectures are not moving the needle.
A different style of training may be more beneficial. Users become partners with cybersecurity professionals when they understand the consequences of their actions and how to decrease their risk. The goal is to reduce human-caused incidents so the security team can focus on tech. Users need to be more engaged in training.
The Head of Trust Culture and Training with Atlassian said that training should be fun. Employees feel important to the company when training is enjoyable. Security training should be relevant and fast-paced to add an element of story. You want your employees to talk about the session in casual conversations.
Training films that are actually movies have drama and excitement but are tailored to highlight your organization’s security concerns. The training sticks because they are much more engaging than a powerpoint presentation.
Changing Behavior to Bridge the Gap
Changing overall behavior will be involved when dealing with a skills shortage. Security best practices will rely on user experience in order to be effective. “You want users to reach the point of making better decisions and regularly doing the right thing”, said Ira Winkler, field CISO and vice president with CYE, who spoke at the Security Congress.
It is possible for security teams to incorporate cybersecurity into job functions and modify IT interface to encourage behaviors that reinforce good security habits. Employees should be rewarded for doing the right things, rather than punished for doing the wrong things.
The skills shortage isn’t going to be solved in a day or two. With steps such as improving security awareness training or accepting beginner certifications as an entry-level qualification, organizations can adjust their approach to their cybersecurity posture.