- Cybersecurity can't be left to technology - it needs human input, too.
- C-suite leadership on this issue can have multiple benefits.
- Training doesn't need to be expensive; free resources are available.
- As well as saving money, cybersecurity engenders customers' trust and can aid staff retention.
According to a recent survey of IT decision makers by the Centre for Strategic and International Studies, 82% of employers say they have a shortage of cybersecurity skills—and 71% say this causes direct and measurable damage to their organizations.
Advanced cybersecurity technology is one way companies are mitigating the effects of this skills shortage; still, it takes human strategy and a collaborative effort to effect pervasive and continuous protection from cyberthreats. At stake are not only individual companies, but also their customers, their supply chains and the public at large.
Have you read?
Rather than bemoaning the talent deficit, the C-suite can and should do something about it. It may be an uphill effort - but allies and opportunities to get started are abundant. Here are some ideas:
Cybersecurity shifts from encumbrance to enabler
Once viewed as a constraint on business agility and performance, cybersecurity is now seen as the table stakes for survival. For obvious reasons, corporate leaders are eager to avoid the devastating impacts of data breaches, distributed denial-of-service (DDoS) attacks and ransomware. But beyond that, they are also seeing cybersecurity as a competitive differentiator, due to the public’s growing awareness of digital privacy and the value of protecting personal data and intellectual property.
As with any business opportunity, the advantage goes to the aggressive adopters. The most digitally trustworthy companies are those that invest heavily in cybersecurity technology, processes and people. Gartner predicts that worldwide spending on information security products and services will have reached $124 billion in 2019, an increase of 8.7% on 2018.
Talent acquisition, however, remains elusive, because no matter how deep a company’s pockets, there are simply not enough cybersecurity skills to go around. And the demand for these skills is growing more urgent, with the increasing ease of launching cyberattacks and the variety of adversaries—cybercriminals, cyber terrorists, and nation states—that companies must repel.
Overcoming the cybersecurity talent shortage
There are ways companies can make up for the shortfall in IT security talent. First, they can grow their own. Admittedly, chief information security officers (CISO) and other IT executives face significant hurdles in securing the necessary budget for any cybersecurity initiative, and it may be much harder to estimate a return on investment for cybersecurity training than for security technology. Still, companies can make some progress with minimal outlays.
Second, companies can recognize that cybersecurity—like most business activities—is a team effort. It takes the cooperation of everyone in the company to minimize infiltration, data loss and the spread of malware. To have an appreciable impact, employees' cyber education must be multi-faceted and ongoing.
Fortunately, companies do not need to develop or maintain their entire cyber-education programs on their own. They can take advantage of freely available education material such as the Cybersecurity Learning Hub, global certification associations such as CompTIA, and of course vendor-sponsored programmes.
The C-Suite as the nucleus of cybersecurity education and training
It may fall to the CISO or chief information officer (CIO) to champion the cause of cybersecurity training and education programmes. But everyone in the C-suite has a stake in the success of these initiatives.
For the CEO and chief financial officer (CFO), increased cybersecurity proficiency can correlate directly with eliminating or reducing downtime due to an outage, a lower risk of breach-related revenue loss, and fewer penalties for compliance violations. For the chief marketing officer (CMO), having a well-trained in-house cybersecurity force enables the company to securely innovate, solidifies the company’s reputation as a trusted partner, as it demonstrates a commitment to protecting the digital assets of its customers and suppliers. For the chief operating officer (COO), training can help with increased retention of technical talent, which is among the costliest to recruit and which takes 50% longer to hire than other roles.
Considering that the average annual cost of cybercrime for a company is $13 million, most outlays on training and education would pale in comparison. Employee cybersecurity education, meanwhile, fosters greater engagement companywide, as it empowers every individual to make a vital contribution to the security of the entire network.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.
Our community has three key priorities:
Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.
Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.
Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.
Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.
The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.
For more information, please contact us.
Cybersecurity education should not stop at the company’s doorstep, either. In the ongoing effort to stem the tide of cybercrime, it is mutually beneficial for organizations to collaborate on cybersecurity education. As an example, Fortinet and Salesforce, in concert with the World Economic Forum Centre for Cybersecurity, have already taken the first steps to promulgate cybersecurity education throughout communities worldwide in the creation and educational content included as part of the Cybersecurity Learning Hub.
Extending this point even further, as digital life begins in early childhood, so should cybersecurity education. Free, age-appropriate materials from real-world cybersecurity practitioners are a boon to cash-strapped school districts and busy teachers. Businesses, associations and government agencies offer a variety of resources for K–12 cybersecurity programmes. In the higher grades and in college, there is also an early opportunity to groom the next generation of cybersecurity talent, which may help accelerate the closure of the skills gap.
It takes a global effort to defend our economies and societies from accelerating cybersecurity threats - and cybersecurity training and education is an important part of that effort. To the extent that the C-suite is engaged and invested in promoting training and education programmes, organizations can unlock the full potential of cybersecurity as an enabler of business innovation.