[By Irfan Shakeel, Vice President of Training and Certification Services at OPSWAT]
Addressing the cybersecurity skills gap stands out as a paramount challenge in fortifying companies’ cyber resilience today. Especially given that the remedy is neither swift nor straightforward. Transforming the educational system to align with the modern requirements of cybersecurity professionals or retraining existing technical talent for cybersecurity roles entails a prolonged collaborative effort between the private and public sectors. Nevertheless, organisations can proactively navigate the cyber skills gap by prioritising initiatives centred on retraining and maximising the potential of existing cybersecurity talent.
The cyber skills gap in the critical infrastructure sector
The cybersecurity skills gap is a persistent issue because of a constantly growing skills demand. In the UK over the past year, cybersecurity job postings went up by 30%, according to the National Cyber Security Centre (NCSC). Yet to meet this growing demand, the UK’s cybersecurity labour force would need an additional 11,200 employees.
This challenge becomes more acute when you drill down into the need for sector-specific cybersecurity skills. Take, for instance, the safeguarding of cyber-physical systems, which are integral to the digitalisation of the critical infrastructure (CI) sector. This necessitates a distinct skill set compared to securing the digital environment of an enterprise.
However, most cybersecurity training and information available online addresses IT security rather than operational technology (OT) security. Advancing cybersecurity skills for CI is imperative because compromises in cyber-physical systems can be detrimental to public safety and national security. This means CI organisations must focus their attention on empowering their current talent.
Fostering security-driven culture
From the shortage of experts in critical areas such as threat analysis, penetration testing, and AI, to the broader issues of workforce diversity, the problems contributing to the cyber skills gap are complex and evolving. That said, Verizon’s report unveiled that 74% of data breaches resulted from human errors.
Organisation-wide security awareness and a culture that promotes security practices limit human errors and alleviate the workload of cybersecurity employees. A good security culture encourages employees to identify suspicious items such as emails or activity and immediately flag them to relevant teams. This behaviour stops attacks before they can travel through a company’s environment. A security culture can be implemented by driving employee awareness of best practices and continuously measuring the impact of internal initiatives.
Leveraging AI in cybersecurity training
There is a significant opportunity to leverage AI for enhanced cybersecurity training. Through AI, organisations can personalise their training programmes to the learning styles and knowledge levels of individual users. AI-powered chatbots can act as personal coaches to make training more engaging. Stimulating conversation throughout the learning process can help users retain knowledge more effectively.
AI can also be used to create attack scenarios to help analysts understand how to detect and respond to modern threats effectively. This technique can also be employed by non-technical employees. For example, Language Learning Models (LLM) can be used to simulate phishing attacks helping employees better recognize potential threats.
Providing hands-on, in-person training
Providing hands-on training experience is essential to gain a deep understanding of security products and practices and how to apply them in real-life scenarios.
Although the Covid-19 pandemic established the habit of remote training, when it comes to developing new skills, it is important to maintain personal interactions on a frequent basis. This allows for asking questions in real time and learning from peers. Providing immersive and customised training, cybersecurity skills bootcamps enhance effective knowledge exchange. For example, OPSWAT recently launched the OPSWAT Academy Bootcamp, a global in-person training programme.
Recruiting from non-cybersecurity backgrounds
Organisations should also be open to recruiting cybersecurity professionals that may not have a traditional background. More than half of hiring managers (59%) surveyed in research by ISC2 and OPSWAT saw an increase in job applicants from technically experienced people with no prior cybersecurity experience. Professionals who may not have prior cybersecurity experience can instead offer a diverse technical background that sets them up for a successful cybersecurity career.
As organisations continue to grapple with the cyber skill gap, it is important they recognise there are initiatives and strategies that can be readily implemented to empower cybersecurity employees and build cyber resilience. This is especially important in the CI sector, where the implications of skill shortages are more pressing.