Closing the information security skills gap

According to figures from a 2017 report conducted by the Department for Culture, Media and Sport, as many as 46% of UK businesses suffered some sort of cyber-attack or breach in the preceding 12 month period. Cyber-attacks are perhaps more common than ever and the trend only seems to be gathering pace. Last year saw high profile data breaches at some of the world’s most recognisable companies. Deloitte was targeted by a sophisticated attack which compromised confidential emails, retailer CEX suffered a breach which exposed personal customer information, and payday loan company Wonga fell to a breach which included bank account information.

Cyber-attacks are never far from the public conscious and there has even been widespread speculation as to whether the US election was ‘hacked’. To whatever end, information security is never far from the headlines and is even closer to the thoughts of technology leaders.

While the threat of data breaches and leaks increases, so does the scrutiny which is placed on firms and the level of compliance they are required to meet. With the General Data Protection Regulation (GDPR) set to come into effect in May, there will be even more attention paid to data security and many organisations may find that they are ill prepared for compliance. During our recent Demystifying GDPR webinar we found that 60% of businesses were underprepared for GDPR, and figure which is low in comparison to research conducted by computerweekly.com who put the figure as high as 90%.

Skills gap compounding the issue

The difficulties posed by the increased threat and closer scrutiny is only compounded by a widening skills gap within the information security sector. This is perhaps the fastest growing sector in any industry and the rapidly rising demand for security skills and experience is simply outstripping supply. The cyber skills shortage is impacting organisations of all sizes, industries and geographies.
Research into the state of IT conducted annually by ESG has revealed that the skills gap in information security continues to widen and has doubled in the past five years. In 2014, 23% of respondents to the survey stated that their organisation had a problematic shortage of information security skills. This had climbed to 51% at the beginning of this year. Clearly, this is an issue which is being felt across many industries and organisations, and is a concern which extends beyond IT leadership into the boardroom.
The key to success in a market of constant change, is adaptability. Businesses in the technological and digital industries, while typically innovative and forward thinking, can find it challenging to source people with the right skills and experience. So the question is what can technology leaders do to ensure that they have a fully staffed information security function and are in front of ever-changing threats and regulations?

Identify the appropriate skills

Information security is not a simple operation and there is no one size fits all security approach. Each organisation’s security programme will be defined by numerous factors unique to them and as such, the approach to security will differ. Two security analysts may have significantly different skill sets based on the type of work they have carried out throughout their careers. One may be ideally suited to your organisation while the other may have skills which do not gel with your requirements. It is important to understand exactly what type of skills and competencies are required in a role and this cannot be identified by job title or function alone.

Involve security function in the recruitment process

One of the best ways to ensure that you are identifying the rights skills and ultimately bringing on-board the right people is to involve your existing security function in the recruitment process. It is pretty common practice for a job spec to be devised and then for the head-of or director to move forward with the recruitment process independent of the security team. By involving key members of the team throughout you can not only get an idea of how a new hire may fit within a team, but can rely on the judgement of a group rather than one or two individuals. Where specific and highly-technical skills are at play it is a smart move to involve those who have a strong understanding of how they will interplay with your existing set-up.

Invest in technology as well as people

Something which most people working in IT will have in common is an interest in technology. It sounds obvious but the people you are looking to hire will be tech-savvy and energised by the prospect of being at the forefront of their industry. Your chances of hiring the best people in your field are severely hampered should your IT set up be outdated. The best people want to work with the best technologies and platforms, and are unlikely to accept a role in which they will be forced to work on an outdated set-up. To that end, it is important that you view your technologies as an ongoing concern in the same way that you would your staff.

Constant training

Information security is a field which is in a constant state of change and requires a dynamic skill set, one which evolves as quickly as security threats do. By providing employees with constant training you are not only keeping your security up to date and fit for purpose, but bringing your employees along with it. One of the most cost-effective retention strategies across any industry or job role is a strong training and development plan. This is nowhere more evident than in IT where technology moves so fast. Professionals who are confident that their employer is invested in their future are far more likely to buy into long-term projects and to give their best towards the outcome.
If you are looking to expand your information security function please get in touch with one of the Michael Page Technology team.