Whenever a data breach or a ransomware attack occurs, usually there’s an unsuspecting employee who has clicked on a malicious link or not followed the correct security policies or processes. This is certainly unfortunate, and many would sympathize with the individual because of the added stress, panic and emotions that come with the blame associated. From a security professional’s perspective, trying to monitor this while assessing the level of risk towards the company can be difficult, especially if the assessments are not carried out regularly.
The Visible Issue
To make matters worse, there is a shortage of up to 500,000 cybersecurity staff in the EU, according to research by ISACA. The findings found that only 8% of companies surveyed conduct monthly assessments while 40% conduct annual assessments. Part of this is due to understaffing, with 62% of respondents saying they didn’t have enough cybersecurity staff.
In truth, the cyber skills gap is an interesting topic, and perhaps one that is more nuanced than it appears on the surface. For starters, there is a marked difference between skills shortage and skills gap.
One of the underlying issues is the ability or desire of employers to take on board people by creating a safe and inclusive environment in which they can learn and thrive. This would help people new to the industry, but also those within cyber who want to cross-skill, including minorities or underrepresented groups.
Unfortunately, to do so requires a significant investment by hiring organizations, which most of the time don't have the resources and only want experienced people that can hit the ground running. This makes the talent pool they're dipping into significantly smaller.
Creating a Security Culture that Can Thrive
Cybersecurity is not the sole responsibility of cybersecurity staff, but rather of everyone in an organization. However, recent research in the UK found that more than four in five hybrid (82%), in-office (84%) and remote (85%) workers do not always make security-conscious choices, while over a fifth (21%) of full-time office workers do not feel responsible towards their company’s cybersecurity. This clearly shows a disconnect between the wider workforce's attitudes and behaviors towards security at their organizations.
While there is a shortage of cybersecurity staff, it's important that current employees are aware of the dangers in the digital world, too – not only help alleviate some of the pressures on the security department, but to be a reliable human firewall. But how is this achievable?
It begins with addressing the psychological and behavioral mindsets of the workforce. Recalibrating this going forward will have a greater impact on the security culture because providing the necessary teachings and awareness to the wider workforce about risks in the cyber realm can lay the foundations for them to take a keener interest in it as a potential profession. This will include how to act and stay safe online as well as how to spot red flags regarding phishing, the most popular cyberthreat, which in turn will improve an individual's overall security habits.
When you impact enough individuals, these standard-setters will set off a chain reaction, whereby others will naturally observe and follow their security behaviors and habits. Moreover, security behaviors can be reinforced with engaging security awareness that is tailored and provides a positive learning experience to members of staff. This is because it increases the likelihood of information retention. From here, a strong foundation is laid for the security culture to thrive as the workforce gains a stronger understanding of their responsibilities from a security standpoint.
While these may be subtle changes initially, research has shown the effectiveness of security awareness training techniques, like simulated phishing, on a workforce in helping to create a human firewall. By increasing the overall security education of members of staff, organizations can provide employees with the best opportunities to make smarter and safer security decisions.
Furthermore, they will be reducing the potential risk of the organization and alleviating the pressure on a security department that is likely understaffed and under-resourced. You never know, a regular member of staff may even become a ‘security champion’ and someone who could potentially transfer to the security department, redressing the shortage of cyber skills.