South African organisations are at risk. As cyber threats escalate in frequency and sophistication, new research reveals an alarmingly high rate of security incidents over the past year, with experts pointing to a lack of awareness and qualified professionals as key contributing factors.
Fortinet, a global cybersecurity leader, recently conducted extensive research for its 2024 Cybersecurity Skills Gap Global Research Report. The study surveyed 1 850 IT and cybersecurity decision-makers across 29 countries, including South Africa. While the report focuses on global trends, the data collected specifically from South African respondents reveals a concerning picture of the nation’s cybersecurity preparedness and resilience.
According to the South African data, only 4% of surveyed organisations reported no cyber-attacks in the last 12 months. A staggering 50% suffered up to four attacks, while 10% experienced nine or more. The financial impact of these breaches has been severe, with 39% of South African respondents reporting losses exceeding $1-million, and at least one organisation suffering a loss of over $6-million.
Julie Noizeux, channel manager at Fortinet South Africa, says the high incidence of attacks is cause for concern: “Clearly South Africa is a prime target for attacks, yet globally we are lagging in terms of cybersecurity investments.”
Skills paradox
The research reveals a complex skills scenario. 60% of South African respondents believed attacks were due to a lack of in-house cybersecurity skills or trained IT/Security staff, while 58% attributed attacks to a lack of cybersecurity awareness. Paradoxically, only 36% indicated struggles with recruiting cybersecurity talent, and a mere 28% reported challenges with retention.
According to Noizeux, cybersecurity skills are in short supply globally. In South Africa, companies face the added challenge of the brain-drain of skilled professionals seeking better opportunities abroad.
“I work with organisations that continuously struggle to find talent,” she says. However, some are getting creative, countering the skills gap using partners and advanced technology. At the same time, they’re working hard to keep their top talent happy with attractive pay and perks,” she adds.
“One way to secure the organisation with limited in-house skills is to leverage channel partners and companies they can outsource cybersecurity services to,” Noizeux explains. “We see growth in the number of organisations using Managed Security Service Providers who offer the full security stack and management of the environment.”
Advanced technologies offer another avenue for organisations grappling with skills shortages. Noizeux advocates for a unified cybersecurity approach: “By leveraging a unified cybersecurity fabric or platform that connects with multiple products, organisations can achieve a unified view of the entire environment, achieving consistent policies, management and control.”
This approach can streamline operations by reducing the number of different technologies staff need to master, potentially allowing for more efficient use of human resources. “Machine learning and AI are increasingly taking on complex cybersecurity tasks. These technologies can automate threat detection and response, which helps reduce the burden on staff for routine, manual processes,” she adds.
Upskilling existing staff is a key strategy to address the skills shortage, says Noizeux. “At Fortinet, we practice what we preach,” she explains. “We hire candidates who meet most of our criteria, then create personalised development plans to help them gain the necessary certifications and qualifications.”
Fortinet is also tackling the skills gap on a broader scale. The company offers free cybersecurity training and has set an ambitious goal to train one million people in cybersecurity skills by 2026. “We’re already halfway there,” Noizeux says. Candidates only pay for certification exams if they wish to complete these.
Addressing broader staff cybersecurity awareness gaps is crucial for reducing risk. “It should be mandatory for staff to do cybersecurity awareness training as a continuous repeated exercise because the threats are changing continually,” she highlights.
Raising cyber awareness at the grass-roots level
Looking to the future, Noizeux believes cybersecurity education should start early. “The sooner we educate kids, the more valuable it will be for them in their personal and professional lives in the future,” she says.
Fortinet is taking steps in this direction, with its local Academic Partner Program which works with higher education institutions and schools around the world to help learners become part of an elite group of skilled cybersecurity professionals. It also has initiatives such as a local women’s employee resource group for cybersecurity in South Africa, aimed at raising awareness and inspiring girls to consider careers in the field.
As South Africa continues to face cybersecurity challenges, a multi-faceted approach combining skills development, outsourcing, advanced technologies, and early education may be key to bridging the cybersecurity skills gap and strengthening the nation’s digital defences.