Skip to Content

Skill Gaps in Cybersecurity: Can we breach the talent code?

Clifton Menezes

This article was originally published in and has been reproduced here with permission.

Sample this: A whopping 500,000 Zoom passwords – some belonging to Chase Bank and Citibank employees – were stolen and available for sale for 15 paise per account, according to a Bleeping Computer report. Similarly, healthcare services across the world have been subjected to relentless ransomware attacks with the intent to steal critical data. And the list goes on…

Welcome to the continuing – and fast-spreading world – of cyberattacks! A Capgemini Research Institute report, Boosting Cybersecurity Immunity: Countering cybersecurity risks in today’s work-from-home world, states COVID-19 has enlarged the attack surface for hackers, given the rise in work from home as well as in online financial transactions.

How do businesses react to this existential crisis? Per IDC, security-related hardware, software, and services spending is forecast to reach $133 billion per year by 2022. But technology is only a partial solution, because many cybersecurity breaches relate to gaps in human performance. And manpower shortage is only aggravating it.

The reasons are two-fold: Expansion of the digital marketplace has generated more demand for cybersecurity pros. Secondly, we aren’t creating skilled professionals at the same pace. Organisations that successfully attract and retain the best cybersecurity talent will be most effective in containing cyber risks. This can be addressed at two levels: talent acquisition and post-recruitment training.

Talent acquisition is the first step

For long, the discussion on how to recruit and retain talent centered around millennials, elite school graduates, seasoned professionals, etc. Now, COVID-19 has induced an urgency among organisations to onboard candidates of all groups and backgrounds, because research shows the quality of hires is unrelated to their background.

New-age technologies have taken centerstage in recruitment, especially for specialized cybersecurity roles. Organisations are actively deploying Artificial Intelligence-based sourcing methods for screening and stack ranking candidate profiles. For example, an AI-enabled application tracking (ATS) database reads through the job requirement and sources candidates from across job boards based on the desired cyber skills.

After a thorough evaluation, it provides a ranking list of candidates illustrating the match percentages that were found. Apart from evaluating specific cyber skills, it also correlates the likelihood of a candidate accepting an offer. The process is fast, accurate, and helps in making objective decisions in recruitment.

Boolean and advanced X-ray searches as well as Chrome extensions especially help identify talent with the right cyber skills. Beyond that, psychometric analysis and personality tests provide ideal candidate profiles and what resonates with them.

Scouting through market mapping on cybersecurity networking platforms generates good leads for key cyber skills hiring. Similarly, source-a-thon (sourcing marathons) or bug bounty programs (rewarding individuals for reporting security bugs) help to identify good talent. Organisations like Apple, Facebook, Google and Microsoft hold such events periodically. Companies could also source talent laterally from military and government ranks given their expertise in handling sensitive portfolios. Recruitment should also be diversified to induct more women.

Mitigate cyber threats through effective learning

Capgemini’s Boosting cybersecurity immunity report states that educating employees in cybersecurity should be a priority to mitigate threats, especially for those in specialized cybersecurity roles. As CISOs evaluate the risks, coaching in threat intelligence, incident response, and forensic investigation will push such employees to start early and develop better affinity towards their roles.

To start with, prospective cyber specialists gain rich experience by interacting with inhouse experts. Inhouse mentoring, hands-on training in an industrial setting, or cross-training candidates across organisations are excellent ways for practical learning. A Yammer group for cybersecurity champions to share updates will encourage social learning amongst budding specialists.

A two-pronged approach – role-based modules and skill-based learning – is imperative. Role-based modules include videos, articles, case studies, assessments and assignments, while skill-based modules are focused learning programs mapped to help employees augment skills and be more fungible. Similarly, ExpertSpeak sessions – where industry experts share views on current threats or mitigation strategy – have helped broaden employee perspective on cybersecurity.

Finally, automating security intelligence improves security and reduces human error, and lowers staff workload and burnout. It helps build a more agile cybersecurity system. A good example is of a manufacturing company with only one cybersecurity employee in its 300-strong organization. Similarly, US-based specialty-retailer PetSmart saved up to $12 million in fraud detection using AI.

Address the cybersecurity skill gap… NOW!

The cybersecurity threat is looming because no industry is immune from it. Cybersecurity Ventures predicts 3.5 million unfilled cybersecurity jobs globally by 2021, and businesses should aim to fill the numbers and leverage human performance as a key defense for reliable cybersecurity.

COVID-19 is an opportunity for organisations to introduce better people and processes in the system. Investment in cybersecurity pays off big time, and permanently. Ultimately, closing the human performance gap through new methods and better understanding of the organisation culture is the best defense against cyberattacks.

Now’s the time to do it!