I have good news and bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Survey, there are currently 4.7 million people in security jobs.
The bad news: The study also found a global shortage of 3.4 million cybersecurity workers. He also said that 70% of those surveyed believe their organizations’ security teams are understaffed, making them less effective.
As cyberattacks become more sophisticated and the threat landscape expands, organizations need to be creative in their cybersecurity approach. It’s not enough to just reset the parameters for skill set building. You need to rethink what your internal cybersecurity program should look like.
Cybersecurity is all about people
Cyber skills should not be reserved for experienced and well-trained cybersecurity professionals. While the security team runs the show, their job is primarily to focus on the technical side.
But most cyber incidents are the result of human error or ignorance of security best practices. Unfortunately, workplace culture may not encourage employees to come forward when they see or do something out of the ordinary. This allows threats to stay under the radar until it’s too late.
Security best practices only work when everyone is part of the solution. This is even more important given the current cybersecurity staffing shortage. Doing more to make security an “all hands on deck” vibe would help close the skills gap.
Certification for Beginners
One of the biggest hurdles to closing the talent gap isn’t the lack of people with the right skills, it’s the inability of employees at the beginning of their careers to meet the standards. Entries asking new hires for qualifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) he has too many level positions. However, the prerequisites for most certification exams include several years of work experience (many require five of his), are expensive (costing hundreds of dollars), and are difficult to pass on the first attempt. is difficult. Second, once someone has a certification, they don’t apply for entry-level positions.
This approach has weeded out many potential cybersecurity professionals just beginning their careers. We have started a new initiative called security. Participants can register as an (ISC)2 Candidate, receive free training in a self-paced course, and have the opportunity to take a free exam. Once accredited, participants will have access to professional development opportunities and resources that other accredited professionals have. While the overall aim is to increase the number of skilled workers needed for entry-level positions and above, this is also an opportunity for more people to explore cyber careers without spending thousands of dollars. The thing is to give employers confidence when hiring less experienced people.
“Employers should be confident when hiring new entrants to the field that they have a solid grasp of the relevant technical concepts and demonstrated aptitude to learn on the job,” said the ISC. 2 argued, and with the creation of such a certificate, added: This allows job seekers to “demonstrate to employers that they are familiar with basic cybersecurity concepts, as determined by cybersecurity professionals and practitioners already in the field.”
Rethinking Security Awareness Training
Security awareness training doesn’t work. A study by Elevate Security found that security training slightly reduces phishing click rates in simulations, but when that training really matters, it has little to no effect in real-world attacks. Regular online quizzes and annual lectures just don’t cut it.
Different styles of training can make a bigger difference. Users become partners with cybersecurity experts when they understand the consequences of their actions and how to mitigate risks. The goal is to reduce man-made incidents so that her security team can focus on the technical side of the job. But first, users need to be more involved in awareness training activities.
At the Insider Risk Summit, Marisa Fagan, head of trust culture and training at Atlassian, said training should be fun. When training is fun, employees feel like they are part of something important to the company. According to Fagan, effective security training should be relevant, fast-paced, and add an element of storytelling. We want employees to talk about their sessions and share what they learn in casual conversation.
Fagan suggested a training film that was an actual film. It has the drama and excitement of an action movie, but is tailored to highlight organizational security concerns. Much more engaging than a PowerPoint presentation and the training sticks.
change behavior to close the gap
Reconfiguring cybersecurity while addressing the skills shortage requires a change in behavior across the board. Just as security awareness training needs to be encouraging to be effective, enforcing security best practices relies on user experience. According to Ira Winkler, Field CISO and Vice President of his CYE, who spoke at the 2022 (ISC) 2 Security Congress, he hopes users will make better decisions and do the right thing on a regular basis. I hope
Security teams can make cybersecurity a part of their job, change IT interfaces, and take action to encourage behavior that reinforces good security habits. Overall, employees should be rewarded for “finding” doing the right thing rather than being penalized for doing the wrong thing.
Skills shortages don’t disappear overnight. However, steps such as improving security awareness training and accepting novice certifications as entry-level qualifications can help organizations align their approach to cybersecurity posture and build a foundation to support cybersecurity teams.
