South Africa is facing a shortage of cybersecurity skills. It’s nothing new and we are not alone – this is a global challenge – yet, the gaps are growing locally.
By Simeon Tassev, MD and qualified security assessor (QSA) at Galix

The biggest obstacle: these skills take time and experience to build. In a world in which technology is advancing at breakneck speed and security threats are evolving at the same pace, this is something local businesses need to address now by investing in security technology and people.

South Africa is losing many of its top cybersecurity skills to international demand. Specialist security companies able to utilise scarce skills fully are essential to fill the gap for businesses. It’s the smart choice for corporates who are unable to find or keep these resources – and for security professionals who need to constantly update and grow their skills to keep pace with changing technologies and new threats.

Today, technology change is rapid. The three to five-year change cycles of yesterday have shrunk to less than 12 months in many instances. While not all topologies will change with these advancements, it is necessary from a security perspective to cover all potential aspects. So, for example, adoption of cloud technologies means all systems must be tested and secured against cloud vulnerabilities. In addition, consider what the integration of Internet of Things (IoT) devices and data means – that’s another whole level of controls that needs to be factored in. So, how big is the challenge really?

According to a 2017 member survey by 451 Alliance, a worldwide network of IT executives and experienced technology professionals, 67% of respondents say they are facing a skills shortage and for very large companies with over 10 000 employees that number jumps to 78%. To address the security skills gap, slightly more than half of the respondents plan to train existing staff and 44% will hire contractors. However, they rate information security as a difficult area to hire for with 44% rating difficulty at 8/10 (10 being high difficulty).

Skills outdated in less than a year

The reality is that security skills that are not constantly refreshed are outdated within a year. A lack of understanding of risk and vulnerabilities can lead to insufficient security measures or the wrong decisions. To minimise this risk, companies need the right skills–whether these are grown or hired in–to cross-check and validate their responses.

At Galix, where we specialise in development of security strategies and policies, and certification against security standards, we have found that security professionals need a minimum of three to five years’ experience. This is often even more important than the number or type of certifications they have. We then provide them with the necessary mentorship and experience across different ICT domains and environments to broaden and deepen their capabilities.

To develop their skills, security professionals need to combine theory and experience. They will start with white hat testing and develop generic skills across infrastructure and systems. Security is one component of a system. To get it right, the security professional needs to understand how systems are used. In short, to identify potential gaps, they need to understand the DNA of the business and the systems it uses, i.e. how architecture, infrastructure, software and hardware enables the business and how each component impacts the rest of the ICT setup.

Steps to address the shortage of cybersecurity professionals

How can South African businesses ensure they have the cybersecurity skills and the insight they need to protect their business, their assets and their customers?
Engage with specialists that understand risk and business impacts:

* Select security partners with deep and broad experience, a solid track record and references in the field or industry in which you operate; and

* Ensure you partner can engage with the business, understand and discuss your specific challenges.

Invest in technology and people:

* Technology: Apply best practices from cybersecurity perspective – ensure minimal controls such as firewalls, patch management, network and perimeter testing, anti-virus protection and authentication are in place; and put in place the tools (e.g., Artificial Intelligence (AI) and Analytics) needed to identify, collect and analyse data quickly, and act to address issues.

* People: Ensure staff are security-aware – put in place the necessary campaigns to keep them alert to phishing, malware and other threats to company data and systems; invest in your in-house security professionals, ensuring ongoing learning and challenging them to gain experience across IT and business domains; train security personnel to understand the level of threat and the risks, and know what actions to take to contain and prevent threats; invest in growing security skills in South Africa – invest in broad ICT education to grow a pool of security skills with strong ICT foundations that can go on to specialise as they advance in their careers.

To participate in the global digital economy, South African businesses must demonstrate their ability to secure their systems and their customers’ data. This will become increasingly important as artificial intelligence, virtual reality and other new technologies continue to emerge. Ensuring access to up- to-date security skills and specialist providers is going to be as important as actively participating in growing security skills in South Africa.