No matter the gap: it’s not skills we lack, it’s common sense
“Help, we are struggling to find the people we need!” A never-ending story that we hear about all the time. Simply put, we face a cybersecurity skills gap.
We are becoming all too aware of the gap between the skills we need and the resources we have. Businesses compete for skills, but in some cases with criminal groups. Yet, is this a problem of our own design? With organizations having dozens or even hundreds of security tools, each needing their own staff to take care of them, of course, we don’t have enough staff for everyone. We have become victims of the battery of products that we believe will save us from ransomware.
The truth is that each new product you buy further divides your resources. We need to shift our mindset and move away from resource-intensive, multi-product security teams and focus on giving teams the tools and time they need to be effective. In many cases, systems and tools are deployed without using their full capabilities. They are long forgotten by the time you need them, and something new is bought.
Several tools provide a warm sense of security, but backups are still the most important defense against ransomware. Bad actors will continue to attack, so growing the security workforce is an ongoing effort. However, how exactly do we get young people and mid-level professionals to jump on the cybersecurity ship?
Not everything is technical, but if you are interested
The fundamental problem with the shortage is that whenever we train personnel on specific products, rather than broader security frameworks, they are not learning the transferable skills they need to survive growing cyber threats. This ultimately means that even the most experienced security professionals spend most of their time managing attacks instead of planning for the future.
Every person working in cybersecurity today started somewhere, and the amount of learning material currently available exceeds what existed when many of us started. Attracting the right person to one of these outlets can ignite a flame that can burn an organization faster than anything else. When you ignite a passion, you ignite something deeper, and helping these people manifest their talent can only benefit your organization.
There needs to be a new narrative that cybersecurity isn’t just about having technical prowess, as many roles don’t require a high level of technical expertise. These positions are a great stepping stone into the industry for those who lack the basic technology know-how you might expect when you think of a “cybersecurity expert” and provide valuable insights and insights to teams in security.
Organizations love silos, but what happens when broader strategies overlap silos, technologies, and outcomes? For this again, we point to people. Discarding traditional structures in favor of a results-based approach would not only empower the right people, but also reduce your expenses. By building a reputation for supporting your staff, you take things away from the status quo and provide the tools for growth which, in turn, attracts new employees. Seems like a win-win to me.
Skills shortage? No. Skills are right under our noses; we just need to use them more effectively to be successful.
People will save us, not products
While I never suggest you remove all of your security tools, I also recommend that you don’t rely solely on them. These solutions are finally in place to protect your systems in the event of a problem. The response to cyber resilience is not a preventive solution; it’s the one that acts as a line of defense when the worst happens. After all, what is the worst result of an attack? What about paying the attacker or disrupting your operations? I would say the latter. At the heart of your cyber resilience are your employees. If you can focus on the few tools to protect your data, you can focus your energy on giving your teams the time, training, and resources they need to be successful.
With all of these things in place, the skills gap won’t seem so daunting anymore. We are so busy focusing our energy on prevention that we disadvantage the teams that need the most help. An overloaded expert is no expert at all. When you finally decide it is important to train and mature them, then they will use their abilities to the best of their abilities.
With the right mindset supported by the right solutions, leadership, and the right people, resilience can be achieved, data can be protected, and whether or not to pay a ransom can become a thing of the past.