Combating the cyber security skills gap both in terms of recruiting quality talent and employee awareness continues to be a top concern for the board. The threat landscape is constantly evolving and CIOs from public services to the enterprise are facing a global cyber skills shortage. A recent report from ISC2 highlighted a lack of over one million trained security-professionals, with the figure forecast to rise to 1.8 million in the next five years. There is no quick fix to solve this problem but the CIO can instil a culture of security to actively tackle the shortfall.
CIOs can deploy the most robust security software on the market, but employees should always be the first line of defence. A recent study from Forcepoint highlighted that 35% of employees across major European countries have been involved in a security breach. More often than not, hackers aren’t the cause of breaches. It’s more likely that an employee has inadvertently shared sensitive information when they shouldn’t or a malicious insider has purposefully leaked data.
A company culture that does not currently value security can take time to change but simple steps are available, that can be especially effective in a short timeframe.
Collaborate with HR and L&D
First and foremost, there needs to be a universal awareness of security policy across the entire organisation. The IT department should work closely with the HR and L&D teams to construct robust security policies that can be understood by all employees. It is critical for every employee to know how to prevent themselves from putting the company at risk, whether it is through weak passwords, clicking on unsafe links or using unauthorised personal devices in the office.
Often, security policies will not be refreshed with new threats or re-shared often enough with employees. As best practice, the security policy should be mandatory and circulated around the business at least once a year. On-boarding new joiners and returning employees (from parental leave or a long absence) is also equally important. It should be treated with the same level of importance as health and safety.
Invest in role specific training
Security training should also be role specific. The security needs of a helpdesk worker will be very different to the requirements of a developer. Continuous learning is valuable to ensure that staff keep their skills up to date. Classroom training is expensive to run, and tricky to organise. Given that security threats evolve constantly, companies should consider online on-demand training where the courses are always up to date, and can be taken at convenient times for employees.
Grow your team’s skillset
Many organisations are also starting to invest in ethical hacking skills. This is essentially where someone uses the same techniques of a hacker to identify the weak points in an organisation’s cyber security, but instead uses that knowledge to improve its defences. With the right skills in place, ethical hackers can advise businesses on all aspects of digital security, and make the organisation much more resistant to attacks. This advice can range from showing programmers and app developers how to make their code harder to hack, to providing other members of staff with advice on choosing passwords that are harder to guess, or how to spot phishing emails.
Create engaging content
It’s also important to drive awareness of breaches that happen to other firms and governments. Companies I work with, often share a monthly email or intranet feature on a particular aspect of security that’s high on the priority list for the month. You can use a breach in the media to build a story and highlight courses that can be taken to avoid the same mistakes being made in your organisation.
If you can, make security training enjoyable. Incentivise the training, for example, by giving employees the chance to win an extra day’s holiday if they complete all of their security courses. The biggest incentive should be: protect the organisation and the organisation will look after you.
Lead by example
CIOs and CISOs need to live and breathe security. The best CIOs and CISOs take an active interest by blogging about security, sharing insights with their organisation and attending the same security awareness courses as their staff.
To create a culture of security, you can’t just expect employees to understand security policy by leaving them to do some training courses. Taking an active interest and leading by example will go a long way to build this culture. If senior management aren’t prepared to take an interest in security, then why would staff?
If the last few years have taught us anything, it’s that cyberattacks are here to stay. As attacks become increasingly sophisticated, the skillset of employees should follow suit. It is vital that companies look to create a culture of security and arm its staff with the right skills to better protect the business.
Julian Wragg is VP EMEA & APAC at Pluralsight
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.