South Africa needs a larger cybersecurity skills base and more professionals in the field to combat the escalating threat of cyberattacks. Yet, with a global shortage of skilled cybersecurity practitioners, initiatives to grow the skills pool through training and hiring will not be enough.
Companies should add another angle to their perspective: more efficient cybersecurity by emphasising the role of risk-informed cybersecurity measures.
The skills shortage continues
Despite years of focus on the problem of a global skills shortage, attempts to create more security professionals have barely made a dent.
According to a new survey among security leaders, Command Zero’s Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders, “88% of respondents expressed concerns about operational issues related to the lack of skilled staff and high attrition rates”.
Information security leaders are still feeling the pinch of staff shortages, and there has been a slowdown in recruits. The new 2024 ISC2 Cybersecurity Workforce Study reports that the global active cyber workforce has stalled at 5,5-million people, growing only 0,1% year-on-year in 2023. Some say the problem is cybersecurity’s complexity.
“You can’t just churn out new cybersecurity professionals like it’s an assembly line,” says Gerhard Swart, chief technology officer at cybersecurity company, Performanta. “Cyber security requires a broad skills set that understands different parts of a technology environment. Cybersecurity professionals are not just trained but moulded.”
The majority of industry professionals agree that hands-on experience, credentials, and successful training are vital to qualify a candidate. Effective training requires much more time, leads to more people failing to qualify, and makes qualified individuals much more valuable, leading to more aggressive headhunting.
A new look at the cybersecurity hole
Cybersecurity also keeps evolving, making it even harder to find qualified people who can work in high-pressure environments and teams that manage complex layers of technologies for businesses. While it’s crucial to continue training new people and expand cybersecurity career options, these tactics are not sufficient.
Swart equates it to being in a hole.
“You are stuck in a hole, so what do you do? Instinctively you try to climb out or dig your way out. That’s the training solution. What we’re seeing is that the walls keep collapsing. We’re not any closer to reaching the surface. At this point, you should start looking at the nature of the hole. Is the soil soft? Are you focusing too much effort on some areas and not enough on others? Are you unknowingly sabotaging your efforts?”
There is an unspoken problem in cybersecurity. Every time a new significant threat or systemic weakness surfaces, cybersecurity companies sell a new solution. Organisations end up with a virtual warehouse of different security solutions that address specific problems, and the market is happy to keep selling new products and services.
However, this approach has two drawbacks. First, it increases complexity and technical debt that demands even more people and time to manage operational demands, taking away focus from the vital strategic elements that hone proper cybersecurity. Second, those systems work well in their domain, but the resulting complexity makes it hard to integrate them seamlessly and close the gaps that criminals exploit.
As a result, security teams are often snowed under mountains of alerts and maintenance requirements such as system patching. Moreover, they struggle to align their actions with business priorities, which renders cybersecurity as something that exists for its own sake and isn’t focused on protecting the company.
The rise of risk-based cybersecurity
However, there is an answer: don’t protect everything; protect what is most important. This concept has taken root through new security frameworks, such as Continuous Threat Exposure Management (CTEM), first introduced by analyst firm Gartner in 2022. The rationale is that not everything in an organisation is of equal value to cyberattacks or to the company’s operations, so business risk should be used to determine priorities.
“The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organisation,” Gartner explained in its initial CTEM report.
While risk-based analysis of cybersecurity is not a new idea, there has previously not been much focus on how to develop that approach. Frameworks such as CTEM and Risk-Based Vulnerability Management (RBVM), popularised by Omdia in 2023, are direct attempts to position business risk as the starting point of all security investments.
How does this affect cybersecurity skills? These models are essentially low-hanging fruit for an inefficient industry.
“Everyone has security tools and services, security teams, and managed service partners,” says Swart. “The problem is that they operate very inefficiently. They are still digging frantically instead of deciding what their biggest priorities should be. A risk-based security strategy uses the time of professionals much more effectively. Security teams don’t need to be so big, trying to tackle every security issue.”
Harnessing tech through risk
Risk-based security doesn’t devalue training initiatives; it creates more breathing room for security teams. Frameworks such as CTEM enable company teams and their security providers to behave more smartly. For example, companies like Performanta have created virtual Risk Operation Centres where risk professionals lead strategic analysis and business discussions, creating the blueprint that security teams follow.
These operations benefit from technologies such as analysis platforms that scan company systems and automatically collect system status and patching information. Generative artificial intelligence is also playing a role, such as using Microsoft’s Copilot for Security AI.
Such AI helps technical and non-technical security decision-makers quickly understand events and apply elaborate playbooks to resolve issues quickly. Gartner predicts that by 2026, companies using risk-based security frameworks will be three times less likely to fall victim to cyberattacks than those that try to secure everything.
“I would summarise cybersecurity’s problem that we are trying to do everything everywhere all the time,” says Swart. “It’s incredibly inefficient and it’s not working. Even the best security technologies don’t do much if everything is stretched too thin. This is why training alone will not close the gap. But risk-based frameworks change how we tackle security. It’s much more effective, it makes more sense to the business paying the bills, and it means we can do more with our talent pool and security technologies.”