How business leaders can close their cybersecurity skills gap

According to a recent survey of IT decision makers by the Centre for Strategic and International Studies, 82% of employers say they have a shortage of cybersecurity skills—and 71% say this causes direct and measurable damage to their organizations.

Advanced cybersecurity technology is one way companies are mitigating the effects of this skills shortage; still, it takes human strategy and a collaborative effort to effect pervasive and continuous protection from cyberthreats. At stake are not only individual companies, but also their customers, their supply chains and the public at large.

Rather than bemoaning the talent deficit, the C-suite can and should do something about it. It may be an uphill effort - but allies and opportunities to get started are abundant. Here are some ideas:

Once viewed as a constraint on business agility and performance, cybersecurity is now seen as the table stakes for survival. For obvious reasons, corporate leaders are eager to avoid the devastating impacts of data breaches, distributed denial-of-service (DDoS) attacks and ransomware. But beyond that, they are also seeing cybersecurity as a competitive differentiator, due to the public’s growing awareness of digital privacy and the value of protecting personal data and intellectual property.

As with any business opportunity, the advantage goes to the aggressive adopters. The most digitally trustworthy companies are those that invest heavily in cybersecurity technology, processes and people. Gartner predicts that worldwide spending on information security products and services will have reached $124 billion in 2019, an increase of 8.7% on 2018.

Talent acquisition, however, remains elusive, because no matter how deep a company’s pockets, there are simply not enough cybersecurity skills to go around. And the demand for these skills is growing more urgent, with the increasing ease of launching cyberattacks and the variety of adversaries—cybercriminals, cyber terrorists, and nation states—that companies must repel.

There are ways companies can make up for the shortfall in IT security talent. First, they can grow their own. Admittedly, chief information security officers (CISO) and other IT executives face significant hurdles in securing the necessary budget for any cybersecurity initiative, and it may be much harder to estimate a return on investment for cybersecurity training than for security technology. Still, companies can make some progress with minimal outlays.

Second, companies can recognize that cybersecurity—like most business activities—is a team effort. It takes the cooperation of everyone in the company to minimize infiltration, data loss and the spread of malware. To have an appreciable impact, employees' cyber education must be multi-faceted and ongoing.

Fortunately, companies do not need to develop or maintain their entire cyber-education programs on their own. They can take advantage of freely available education material such as the Cybersecurity Learning Hub, global certification associations such as CompTIA, and of course vendor-sponsored programmes.

It may fall to the CISO or chief information officer (CIO) to champion the cause of cybersecurity training and education programmes. But everyone in the C-suite has a stake in the success of these initiatives.

For the CEO and chief financial officer (CFO), increased cybersecurity proficiency can correlate directly with eliminating or reducing downtime due to an outage, a lower risk of breach-related revenue loss, and fewer penalties for compliance violations. For the chief marketing officer (CMO), having a well-trained in-house cybersecurity force enables the company to securely innovate, solidifies the company’s reputation as a trusted partner, as it demonstrates a commitment to protecting the digital assets of its customers and suppliers. For the chief operating officer (COO), training can help with increased retention of technical talent, which is among the costliest to recruit and which takes 50% longer to hire than other roles.

Considering that the average annual cost of cybercrime for a company is $13 million, most outlays on training and education would pale in comparison. Employee cybersecurity education, meanwhile, fosters greater engagement companywide, as it empowers every individual to make a vital contribution to the security of the entire network.

Cybersecurity education should not stop at the company’s doorstep, either. In the ongoing effort to stem the tide of cybercrime, it is mutually beneficial for organizations to collaborate on cybersecurity education. As an example, Fortinet and Salesforce, in concert with the World Economic Forum Centre for Cybersecurity, have already taken the first steps to promulgate cybersecurity education throughout communities worldwide in the creation and educational content included as part of the Cybersecurity Learning Hub.

Extending this point even further, as digital life begins in early childhood, so should cybersecurity education. Free, age-appropriate materials from real-world cybersecurity practitioners are a boon to cash-strapped school districts and busy teachers. Businesses, associations and government agencies offer a variety of resources for K–12 cybersecurity programmes. In the higher grades and in college, there is also an early opportunity to groom the next generation of cybersecurity talent, which may help accelerate the closure of the skills gap.

It takes a global effort to defend our economies and societies from accelerating cybersecurity threats - and cybersecurity training and education is an important part of that effort. To the extent that the C-suite is engaged and invested in promoting training and education programmes, organizations can unlock the full potential of cybersecurity as an enabler of business innovation.