Cybersecurity skills shortages leave us open to attack, says MWR Infosecurity SA's MD, Riaan van Boom
According to Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA), several EU states have found that cybercrime offences have surpassed traditional crimes, with trends such as crime-as-a-service and ransomware rising significantly. Given the increasing sophistication of the attack landscape, hacking has become a genuine threat facing organisations and countries across the globe. And yet, the ability of those targeted to manage such attacks remain, for the most part, limited. Riaan van Boom, Managing Director, MWR Infosecurity South Africa, unpacks the issue.
The prevalence of hacking has been rising steadily alongside the evolution of technology. No longer is it the past-time of an isolated teen in his parents' basement, derailing a network for the fun of it or to make a quick buck. Rather, hacking has become the domain of organised crime syndicates who target organisations in planned and strategic ways. It has also progressed to a space in which nation states target and breach one another to obtain sensitive information and data.
The challenge with skill
These sorts of challenges cannot be overcome merely by businesses adopting the latest technological counter-measures to cyber-attack. Rather, to ensure all facets of prevention, detection and response in a given organisation, human skill and an understanding of the attacker-mindset must be at the helm. And these are in short supply. Experienced cyber security personnel are sought after and fought over both in South Africa and abroad.
The unique skill set required of a professional or ethical "hacker" is in demand and only a few are emerging from educational institutions to become the next generation of security talent.
The existing senior security experts know what the organisation needs to be resilient in the face of
cybercrime but in reality, they are thin on the ground. Moreover, newly qualified individuals with the skills required of a cybersecurity professional are lacking in the necessary experience needed to effectively drive their careers. In this respect, there is a need to plug the gap between knowledge and ability.
Training for tomorrow
Organisations must take on graduates and give them a space within which to learn the proverbial tools of the trade while gaining insight into the attacker mind set, if cybercrime is to be combated. Alarmingly, many technical professionals contribute to cybercrime without even realising it, as many organised crime syndicates successfully masquerade as legitimate businesses, employing talent as they see fit.
Not only does cybercrime offer technical talent a way of exploring the cyber landscape without restriction but the sophisticated tools they develop can be sold to governments for profit. A simple Google search reveals plenty of sources regarding how hacking tools are being sold to government agencies. It is a profitable industry in which adversaries are proliferating.
This is compounded in South Africa where there is a scarcity of technical people who are interested in the security arena. It is not so much that security is not a viable career choice but that few realise how it has evolved into something more strategic and dynamic than it was in the past. Further, there are additional qualifications individuals need to be organisation-ready, and these are complex, expensive and require work experience before they can be undertaken.
Organisations thus need to actively source talent and provide such individuals with the relevant experience and support, also allowing for qualified but inexperienced individuals to spend time fine-tuning their skills and understanding the landscape. Organisations must recognise and address this challenge before the talent pool drains dry.
For tertiary education institutions, there is a need to piggy-back on enterprise demand by tailoring programmes and educational materials to guide the right talent down the security road. It is an extremely rewarding and challenging career, and when it comes to salary there are indeed some impressive packages.
It is, however, the awareness among many technical students regarding hacking ethically as a career that is lacking. As such, awareness programmes by both universities and organisations must form part of the solution.
From a business perspective, it is logical that organisations focus on hiring senior security personnel as it pertains to maximising budgets to get the most value out of the most relevant employees. Another reason could be that the company is not adequately prepared to train and equip juniors.
Regardless of this logic, the long-term ramifications of neglecting the growth of talent entail a scenario where the sophistication of attackers overcome that of our defenders. Organisations and universities should collaborate, creating graduate programmes where young talent is integrated into trained security teams to learn and grow in specific industry sectors.
Short supply, high demand and the future
Security teams are in high demand. They flow from one sector and organisation to another, pulled by the currents of salary and opportunity. The organisations obtaining them are as likely to lose them when another opportunity emerges. To alleviate this pressure on industry and enterprise, security skill sets have to be nurtured and opportunities given. The young talent pool must be shown the potential within this career path, given the right education to move along it, and allowed the chance to expand their skills into experience within a real-world setting. Organisations have a pivotal role to play in this step, as do education institutions. Together, they can create a space within which skills can grow, working towards lifting the weight that cybercrime places on organisations and countries across the globe.