Sign up for our newsletter
Technology / Cybersecurity

Opinion: Skills aren’t just a part of cybersecurity strategy – they are the strategy

To defend against a barrage of cybersecurity threats, organisations should constantly update their skills base, argues guest author Graham Hunter, VP of skills at CompTIA.

Cybersecurity events such as data breaches can do real harm to human lives and livelihoods. Organisations now collect more data than ever before. They process it and turn it into actionable insight, and as a result, data is highly valuable; some say it is becoming more valuable than money itself. As such, it’s increasingly true that breaches impact businesses’ ability to operate and can lead to punitive policies for any loss of personal data.

cybersecurity strategy skills

Cybersecurity training often happens only every two to three years, but should be ongoing, argues CompTIA’s Graham Hunter. (Photo by 5432action/iStock)

However, millions of roles – including key tech jobs – are sitting vacant. That means user accounts are also sitting dormant, allowing hackers to have more leeway to experiment and learn from each hack, which at small organisations can go undetected for a considerable amount of time.  One can easily see how the high-churn, low-retention digital business environment of today lends itself to increasing risk. So, the question is this: beyond cursory investments in cybersecurity, how are organisations keeping up with the pace of change and the changing face of the threats? Are they keeping up? Can they?

The increased burden of risk facing companies today raises an important point: in 2021 we should all be thinking about cybersecurity strategy less in terms of a physical (or digital, as it were) investment in the tech itself, and more in terms of an investment in the knowledge and competency of people in tech roles. Because having highly skilled people isn’t part of a strategy; it is the strategy, and without those people, everything falls apart.

Admittedly, finding and keeping capable and driven tech workers today may seem “easier said than done.” The breadth and depth of skills and competencies now required by the workforce and in key tech roles is a huge concern and an area of confusion for businesses. Many HR departments struggle, due to perceived and real barriers, to understand how to hire for requisite competencies and staff cybersecurity roles.

White papers from our partners

Tech team managers struggle with how to get everyone working from the same (ever-changing) playbook, which can lead to serious quality and performance issues. Secondary to staffing for cybersecurity roles, risk-averse businesses have been slow to adopt emerging technologies like blockchain and AI-enabled tools, fearing that a poorly managed adoption will hinder business or hurt their reputation. It’s easy to understand their conundrum: if you’re struggling to secure your house, is it wise to fill it with more valuables and build entire rooms that you can’t see into?

Cybersecurity strategy: the need for constant skills updates

The tech landscape can feel overwhelming for decision-makers in IT, but the need for skills as the driving force behind any organisation’s cybersecurity strategy has never been clearer, and there is a way to do this right using economies of scale.

Every tech team shouldn’t (and doesn’t have to) recreate the wheel every time they spec out a new tech job ad or design a training program for a newly onboarded IT or security manager. The competencies, training tools, and certifications exist, and the legwork of ensuring that those standards are bulletproof has already been handled. Pathways like apprenticeships are an excellent way to ensure learning happens in a consistent manner and leads to skills that can get the job done.

Once workers are on the job, training can and should be happening multiple times a year, rather than every 2-3 years, which is an unfortunately common and very outdated approach to tech skills. Nurturing internal talent in this way, or by, for example, offering apprentices a job at the end of their apprenticeship, is not only smart for cybersecurity strategy, but it’s a sound strategy for talent development and retention. It also ensures the consistent presence of skilled teams and eliminates the need to employ new staff. In short, keeping the focus on upskilling (looking left) is smarter and more efficient than focusing on new hires (looking right).

Keeping the focus on upskilling (looking left) is smarter and more efficient than focusing on new hires (looking right).

Today’s cyber teams must fully understand digital best practices and have a continually evolving understanding of cyber hygiene (things like zero-trust policies and two-factor authentication), because the norms themselves are changing rapidly. Industry recognised training and certifications, as well as on-ramps like apprenticeships, can remove the guesswork from cybersecurity upskilling and ensure access to the most up-to-date tools and techniques. But today, too many organisations are still trying to go it alone; with teams working in isolation and relying on best guesses to keep them safe.

Getting everyone on the same page and reading from the same playbook is a first step, and gives organisations a fighting chance to weather inevitable cyber storms. When organisations make early and sound investments in the training and upskilling strategies of their tech workers, they free up resources to use tech as something more than a defence tactic, but as a strategy for growth and evolution. When they don’t, they run the very real risk of becoming not only a target, but of losing relevance in an increasingly digital, connected, and data-driven business world.

Graham Hunter is VP for skills at non-profit IT certification provider CompTIA.