It has become abundantly clear that the issue of cybersecurity is not going away anytime soon. Every day, it seems that the number of vulnerabilities and risks organizations are susceptible to increases, yet the amount of solutions we have to defend against them is lacking.
According to CRN, global security spending among businesses is expected to reach $1 trillion by 2021. Many companies are realizing the need for investing in tools, technologies and processes to help defend against the rising security threats, but there are still a fair amount that are limited in their budgets. Given the amount of attention government agencies, industry experts and the general public have paid to this topic over the past year or so, it may be hard to understand why major data breaches are still occurring at rapid rates. Some might assume that the biggest barrier keeping organizations from effectively protecting sensitive information, critical infrastructure and computer networks is money.
However, there are other contributing factors that should also be taken into account. SkyHigh Networks Senior Vice President of Product and Marketing Kamal Shah told InformationWeek that a study conducted by his organization recently revealed that perhaps a bigger cybersecurity concern plaguing organizations is the ongoing talent shortage.
Security: Skills versus spending
The majority of businesses today are swarmed with an incredible amount of security risks that are threatening both internal and external operations. And while investing in the appropriate IT systems, software and applications to defend against such malicious threats is imperative, it is not all that is required for cybersecurity success. Furthermore, it is important to note that effective processes for cyber safety and incident response must be in place. However, they mean very little if the people themselves who are responsible for carrying them out aren’t thoroughly and sufficiently trained in cybersecurity.
“Implementing information security processes don’t mean much if the people responsible for them aren’t properly trained or educated.”
According to the SkyHigh survey, over the next five years, 80.4 percent of participants said one of the most critical IT skills will be incident response management, followed by data management (74.7 percent) and communication with non-IT departments (66.4 percent). Part of the problem pertaining to organizations’ insufficient IT security effectiveness is that even those who are currently responsible for monitoring and defending a company’s critical infrastructure against cyberattacks indicate an issue with how alerts are presented, as well as how they are responded to. For example, about 40 percent of the survey participants agreed that alerts do not come with actionable guidance on how to act and more than 30 percent admitted that they have ignored potential threats in the past due to the amount of false positives they deal constantly have to deal with. On the other hand, approximately 27 percent said a security incident as occurred without a prior alert.
As InformationWeek explained, it is not inadequate levels of information that are harming the security of organizations, then, but the lack of awareness and ability to act even when they are given the necessary information. This is why it is crucial that businesses invest just as much, if not more, in their people as they do their processes.
“It’s not just about buying new tools and new toys, but making sure that the employees are trained and have the skills to take advantage of those technologies in the most effective way,” Shah said to the source.
Training the right talent
But who should the cybersecurity training be aimed at? The survey showed that most corporate executives feel the solution is to onboard and train new hires. However, given the skills shortage, this is becoming increasingly harder to do. A more affordable and efficient alternative would be to provide training to existing employees, which most staff members agreed is the best option.
Cybersecurity awareness needs to begin at the top.
Cybersecurity awareness needs to begin at the top. It can be quite difficult for employers to ensure their teams are being properly trained in cybersecurity if they themselves are not aware of or well-versed in the threats and best practices for defending against them. This is why it is highly recommended that all levels of an organization, starting with upper management and the C-suite, complete cybersecurity awareness and training. Doing so will make them better equipped to execute such promotion and support throughout the entire organization and make sure that adequate preparation is being offered. They will immediately become more involved in the decision-making process, making better, more informed and strategic investments in cybersecurity along the away.
At The National Cybersecurity Institute, we offer a handful of courses designed for different experience levels, including the Specialty Cybersecurity Awareness Course for Managers and Supervisors, which is only eight hours, and the three-hour C-suite and Board Level class. Enhancing the integration, collaboration and involvement from business managers is becoming increasingly important as the tech talent shortage continues to harm companies and limit access to IT professionals and the knowledge and skills needed to defend against the rapidly acceleration of cyber threats. Encouraging education and training programs will make employees better equipped to deal with security incidents – and prevent them from occurring in the first place.