Assessing the Skills Gap for Your Business - A guide for CISOs
When it comes to running a successful business and the successful teams that lie inside of them, knowing what skills you have and don’t have is an essential component to success. Skills gap analysis is a way to get a better understanding and picture of your teams and just what they are capable of doing.
When it comes to your cyber security skills gap, this is no different, and in today’s ever changing and fast paced world, having advanced skills in dealing with issues is ever more important.
In this article you will learn about what cyber security skills gap affects the marketplace, how to conduct a cyber security skills analysis, how to address the skills gap and finally, how to automate certain areas of your requirements in order to maximise your team's capabilities across the organisation.
The Cyber Security Skills Gap
There is a growing concern that we are not equipped to deal with a global skills gap in the cybersecurity sector, and the statistics aren’t alleviating the concerns. By 2025 we can see up to 3.5 million openings in the marketplace meaning that there will be a lot of potential for cyber criminals to inflict greater damage to organisations and systems in the years to come.
The pandemic saw a mass upswing in cyber criminal activity with online transactions sky rocketing thanks to many forced to stay at home or work from home scenarios. This opened the door to many of the cybersecurity risks that industry experts have been seeing for years including, ransomware, malware, cyberattacks and so on.
With more of us having to change the way we work and our behaviours switching to more internet based living with the arrival of the Internet of Things, it means that the demand for cybersecurity professionals is set to increase - when there is already a massive shortage of talent. In the UK alone, a government study found the UK’s cybersecurity recruitment pool has a shortfall of 10,000 people a year.
So what is this all pointing to? In short, cybersecurity is one of the most sought after tech skills in the UK and there aren’t enough people to fill the roles. It also points to the following;
- The UK’s cyber skills shortage has surged by more than a third in the past 12 months.
- Recent breaches in cybersecurity shows the value of cybersecurity
How to Conduct a Cyber Security Skills Gap Analysis
There is a need for organisations to better understand what they have - in regards to their cybersecurity skills - and what they need more of. One of the best ways to do this is by carrying out a skills gap analysis.
A skills gap analysis is understanding what the gap between the set of talent required for a job and the set of skills that a person actually possesses. A skills gap analysis is understanding what your organisation needs from a skill based level in order to strategically execute plans for the future.
The method best prescribed for conducting a skills gap analysis is the following;
- Confirm / clearly define business objectives
- Where is the organisation going?
- What roles need to be filled to get there?
- What is the timeframe for the organisation to achieve the goals and are they able to based on the current skills available?
- Determine - what’s needed for success
- The process starts by identifying what skills are actually required. What do you really need in order to execute your business strategy for the present and future. What is going to bring ultimate success?
- What skills are anticipated to be needed?
- Are there future roles / jobs - that don’t currently exist?
- What are the current capabilities
- Can be assessed using SWOT analysis
- Strengths / Weaknesses / Opportunities / Threats
- Identify the skills gaps that need to filled to achieve success
- Create appropriate strategies to fill those identified gaps.
How to Address Your Cyber Security Skills Gap
Once you have carried out the skills gap analysis, you need to ask, what can your organisation do to fill the identified gaps? Luckily, there are some quick fixes and long term solutions as well.
- Insource or outsource cybersecurity?
- Sometimes, your business needs to move faster and training is a solution that takes longer to implement. That's where outsourcing/contracting comes into play.
- You can bring in outsourced cybersecurity expertise to fulfil your cybersecurity requirements and have a short term solution in place whilst you look to implement a recruitment or training program in this area for your organisation.
- Invest in training
- This could be done internally by someone who has a much deeper understanding of the subject and can create a learning environment for your team members who need upskilling to thrive or, if you had the budget to succeed, you may be able to hire a team to come in from the outside and train your teams. For example, many cybersecurity organisations will have regular training sessions with third party trainers and seasoned experts who teach this type of content for a living.
- Hire people with the right / required traits
- Cybersecurity is a discipline that requires ongoing learning and not just something that you can pass on to a member of your team who doesn’t have the necessary skills or knowledge to perform - it is a skill and skills are learnt over time and with training.
- It is therefore important that those engaged in these roles are self-starters who are keen to keep their knowledge and skills up to date.
- Skills assessments and behavioural assessments can give insight into who in the organisation can transfer their skills and knowledge into these areas best.
- Make cybersecurity the responsibility of every staff member
- Of course, you are only as strong as your weakest link so it is important to train all staff in how to remain safe and secure when using business IT resources.
- With the rise of ransomware attacks in the last five years, giving your teams the basic knowledge and understanding of what security measures are needed and what the threats are is essential.
- Identify cybersecurity threats and weaknesses
- Understanding of an organisation's threats and weaknesses informs what needs to be done to fill identified gaps. Performing a vulnerability assessment will help to identify where these threats are and what more needs to be done.
Without question one of the biggest concerns is that, thanks to the advanced and rapid pace of cyber attacks increasing, can security automation fill the cyber security skills gap?
Following interviews with 500 UK IT decision-makers, Trend Micro found that more than two-fifths (41%) believe that AI will replace their role by 2030. Whilst many others believe that automation is actually causing the issues because of the speed of script writing used to break into systems in the first place.
The answer isn’t so simple, but there is a lot to be said that many in the industry believe that automation can help deal with a wide range of tasks.
- Software is best at automatically processing huge volumes of IT data - such as log files and script searches.
- Using automation as part of a business’s intrusion monitoring processes can make the task less burdensome, less prone to human error, and more timely.
- Software is able to analyse huge amounts of data for security issues.
- Robotic Decision Automation (RDA) helps speed up IT security analysis, using machine learning and probability.
- Improving staff morale
- Machines and technology can do much of the heavy lifting on cybersecurity, freeing IT staff to focus on the elements of their jobs that require human intelligence and ingenuity.
- This eliminates various boring, repetitive, unappreciated tasks that would otherwise be required to deliver solid cybersecurity.
Assessing Your Company's Skill Gap
When it comes to running a successful business and the successful teams that lie inside of them, knowing what skills you have and don’t have is an essential component to success. One government study found the UK’s cybersecurity recruitment pool has a shortfall of 10,000 people a year and it is expected that there will be a shortage of 3.5 million people in cybersecurity roles by 2025.
Having the right people in place, with the right skills to carry out the roles is essential to protect organisations and keep cybercriminals at bay. You do this by first analysing your skills gap requirements and then implementing the right strategy for your organisation.