John Stringer of Next DLP outlines why focussing on people, processes, and technology can help organisations manage the shortfall in cybersecurity professionals
We are facing a cyber skills crisis. Worldwide, in 2023, there were 3.5 million unfulfilled cyber jobs. In Europe, the shortage of cyber talent is anything up to 500,000, according to 2022 figures from the EU’s cybersecurity agency, ENISA. In the US, a Homeland Security hearing on cybersecurity and infrastructure painted a similarly bleak picture.
This all has a knock-on effect on businesses. According to recent research from the Enterprise Strategy Group and the Information Systems Security Association, 71% of organisations say they are impacted by skills shortages in the cyber industry. And in the UK alone, a government report this year shows that 50% of all British businesses have a basic cyber skills gap.
This is not a new problem and clearly there has been little improvement over the past decade. While a talent gap exists, along with resignation that the rise and impact of cyber attacks will continue to grow, throwing personnel at the problem is neither the best nor the only solution.
Organisations need to take immediate steps to address this issue today by investing holistically across security to ensure they can insulate themselves from any negative impacts on the cyber shortage. These steps can be broken down into three main investment pillars: people, processes, and technology. Simply waiting for the workforce to expand isn’t going to cut it alone.
People: Build a strong human firewall
While technology is an important component of any modern cybersecurity strategy, it is often over-indexed, usurping the role that employees can play in combatting cyber threats. This is a dangerous strategy; cybersecurity awareness and education programmes are essential for building a strong human firewall. The investment in these programmes cannot be overstated – they can literally impact the bottom line.
But these training programmes shouldn’t be a quarterly checkbox for employees. Rather, when an employee has erred, that is the time to follow up quickly to offer tailored training to ensure a quick, secure remedy. Too often, training is mundane, set at arbitrary times and too all-encompassing, without being bespoke or personalised enough to those who have made an error. By empowering their employees to identify and respond to potential threats promptly through training investment, organisations can avoid the pitfalls of potential financial and reputational ruin of a cyber attack. This all begins with a security-first culture, where businesses create an environment where everyone takes responsibility for safeguarding sensitive information and adhering to best cybersecurity practices.
Processes: Establishing a framework
Now it’s onto processes. Effective and efficient cybersecurity requires well-defined processes and procedures. A robust framework will enable organisations to detect, respond to, and recover from cyber incidents in good time. This includes everything from incident response, to risk management and continuous monitoring. But not every business is on the same footing when it comes to cybersecurity maturity. The choice of framework will depend on the industry, business model or resources, but the only wrong choice is no choice at all.
When running with lean teams, having an established framework can boost efficiency by eliminating the duplication of efforts or gaps, and save the time of building something when the work has already been done. Processes make (near enough) perfect!
Technology: Security is a business’s spine
While people and processes are of course fundamental, the role of technology in cybersecurity is pivotal. It provides the backbone of any modern business, delivering the tools, infrastructure and systems required to protect digital assets and combat the ever-evolving landscape of cyber threats.
Technology is not just a passive bystander for businesses; combined with the power of people and processes, it is an enabler empowering those organisations to defend against malicious actors and safeguard sensitive information. Crucially, it must be integrated with existing security stacks and business operations to achieve a holistic and efficient security posture. This integration enables threat detection, centralised monitoring and management, enhanced incident response, threat intelligence sharing, scalability, flexibility and everything else in between. By working together, integrated solutions provide stronger defence capabilities to stay ahead of attacks.
A holistic approach for a modern organisation
“The body cannot live without the mind” is an oft-quoted line from Morpheus in The Matrix, but the same could be said for modern businesses when it comes to cybersecurity. Businesses of today cannot live without people, processes and technology – both to insulate themselves from the fallout of a squeezed cyber industry and a world of increasingly dangerous cyber attacks.
This holistic approach is a combination of investing in security talent, employee training, establishing robust processes and leveraging technology. As threats evolve, so do we. So do our processes. And so does our technology. With all three front of mind, businesses will reap the rewards of a comprehensive cybersecurity strategy.