The shortage of security skills is a growing concern for SA businesses. Coupled with the increased sophistication and number of attacks, nation states and hacktivists, business face massive challenges in combatting cyber threats.
“There are just not enough security skills in SA to meet the need for improved security in both the private and public sectors, particularly in light of the slew of breaches that have made the headlines over the last few years,” says Robert Brown, CEO of DRS, a Cognosec company.
He adds that cyber security is a highly specialised sector, and different organisations need different skills to achieve their specific goals. “In this way, not all security professionals have or even need the matching skills; not all information security practitioners have all the relevant skills that would make up a security team, and some skills are more popular than others.”
There is also a dearth in targeted, cost-effective training that is developed and offered for the local market, forcing businesses to do their training in-house. “Moreover, in tough economic times, training budgets are being slashed, and with most security training offered by overseas entities, it’s just not affordable.”
Brown says training should be practical and must add value to the organisation. “The local security environment differs from the one in Europe or the US. Training courses must be designed for our unique environment, and businesses should evaluate their security teams and upskill accordingly.”
According to him, there are a plethora of information security workshops and courses out there that don’t provide the relevant value for trainees. “Businesses are taking advantage of the fact that security is always listed as a top concern for CIOs, and charging ludicrous sums for training courses that don’t really offer the right value. It is crucial to research the prospective courses, who is running them, what they promise to provide etc, before signing your staff up.”
He says a possible solution would be for businesses who are involved in the information security space, to start offering internships, to provide a better idea to candidates who are potentially interested in a career in security, and internal training to upskill existing employees. There are many certifications available, he says, and businesses should offer these to their security staff, particularly those that are internationally recognised.
“There are some great local courses too, run by various businesses – keeping up to date with skills is a must for anyone in the cyber security arena,” he adds.
Brown also advises ongoing training and upskilling of staff. “Regularly evaluate your teams and provide targeted training via short contact sessions as well as e-learning platforms to continually test and better existing skills. This would include awareness programmes, cyber security training on foundation, practical, and advanced levels, forensic investigations, cyber criminology, governance, risk and compliance, and similar.”
There’s no way around the fact that there are just not enough cyber security practitioners in the country, and indeed, around the world to meet the need for better security skills among organisations of every type and size. “This problem is only intensifying as companies face a barrage of new threats on a daily basis, and become only too aware of their own vulnerabilities. This is why is it is of paramount importance that businesses look to new ways to upskill their security staff. A qualification from a few years ago simply cannot hope to keep up.”