With the lack of cybersecurity professionals more severe than ever, James Lyne, Head of R&D at SANS Institute, gives his opinion on how the issue can be tackled.
As our lives become increasingly digital, we are exposing our critical infrastructure, commercial systems, citizen data and sensitive IP to ever greater risk of attack from cybercriminals, hacktivists and nation state operatives. Indeed, we have already seen the impact of attacks like Shamoon, which penetrated state-owned energy enterprises in Saudi Arabia, while other attacks have targeted healthcare and other public sector institutions in the region.
The region has high adoption of industrial control systems (ICS) and new automation projects like Smart Cities. These advancements afford great opportunities, but also make the region a more attractive target. Attackers have visibly been accelerating their agenda of pursuing ICS targets, for example the Triton/TriSYS attacks on safety systems, and ICS therefore needs to be a particular focus for skills development in the region.
It is therefore absolutely vital that cybersecurity should be a key consideration for every organisation, and this includes ensuring there is a pipeline of skilled industry professionals who can help protect the region’s critical systems, enterprises and citizens.
At the moment, this is a major problem: not just in the Middle East but worldwide the cybersecurity sector is suffering a global skills shortage which is rapidly turning into a crisis. According to reports, the worldwide workforce is heading for a shortfall of 1.8m cybersecurity workers by 2022 and the industry is not attracting enough newcomers to fill the gap. And in the Middle East, organisations typically have smaller IT teams than their Western counterparts and therefore have little time to keep on top of new threats and technologies.
Fortunately, there are answers. Long term, the solution has to lie with teaching appropriate digital skills in schools and in investing in retraining programmes to access a previously untapped pool of talented individuals.
SANS has worked with a number of governments to deliver programmes to educate school-age students in cybersecurity skills and is currently working with the UK Government on Cyber Discovery, a schools programme to increase awareness and skills in cybersecurity among 14 to 18-year-olds.
So many had not considered cybersecurity as a career before but having started the programme would now definitely consider it. These kinds of initiatives have to be the way forward.
SANS has also run a series of retraining academies both in the Middle East and elsewhere – testing for those with the greatest aptitude and then putting them through an intensive cybersecurity training programme.
Once they have undergone the retraining programme, students are then helped to find new cybersecurity roles that use their new skills. Experience has shown us that it’s not all about having hard-core technical skills: the ability to work in a team and business skills are also extremely important to a successful career in cyber.
Cybersecurity training for IT staff
In the meantime, there are other tactics companies can deploy. While the merits of on-the-job experience cannot be overstated, training can be the most efficient and thorough way to rapidly ramp up technical skills among existing IT staff. This is particularly true when it comes to cybersecurity.
By undergoing training, not only do IT staff become more efficient and have a better understanding of the technologies they work with – critical when defending against cybercriminals – but they can also become more knowledgeable in front of customers, troubleshoot better and so on.
Organisation-wide security awareness
While security is traditionally viewed as an ‘IT responsibility’, the human factor is one of the weakest links in the cybersecurity chain. If every employee is made aware of their impact on the organisation’s security, they are more likely to avoid the common pitfalls and consequently reduce the pressures on already strained cybersecurity teams – allowing them instead to focus on areas of cybersecurity that require true technical expertise and attention.
Security outsourcing
Finally, for smaller organisations that simply cannot afford to hire dedicated cybersecurity professionals, outsourcing options such as managed security services present a viable option. This allows IT teams to offload the responsibility of key security functions to experts who are highly trained and qualified, and who can monitor the environment 24x7x365.
Click below to share this article