Don't overlook your biggest security flaw -- your talent

The IT skills gap isn't as bad as you think -- it's worse, much worse. Especially in the area of cybersecurity, that skills gap is a major threat to your business.

The IT skills gap isn't as bad as you think -- it's worse, much worse. Especially in the area of cybersecurity, that skills gap is a major threat to your business.

The skills gap all IT organizations struggle with can be summed up in three words: "not enough people," according to author and Wall Street Journal columnist Gary J. Beach (Beach is also publisher emeritus of CIO magazine and But when the skills gap is viewed through the lens of cybersecurity, it becomes much more than an HR struggle to put bodies in seats - it can be dangerous and costly.

CIOs must take advantage of their unique position in the C-suite to drive increased emphasis on security spending, hiring quality talent and furthering education and training for that talent, or risk catastrophe.

Security is a sound investment

The paradox inherent in enterprise security is that if you're doing it right, no one can tell, says Mark Weinstein, founder of social media platform Sgrouples, CEO of and a cybersecurity and privacy expert. According to Weinstein, CIOs must be vigilant about explaining the real risks and threats, and be willing to drive the investments necessary to mitigate them.

"One of the major issues here is that if you're doing security right, you're not necessarily going to see the results. You're not going to get the huge breaches, you're not going to get the highly publicized failures, which you'd assume is a great thing, but that can lead to complacency -- and an unwillingness to invest in skilled talent, preventative technology and education and training to keep organizations secure. So it's all about being able to understand threats, how they're evolving and why, and be proactive about heading them off before they occur," says Weinstein.

That proactive approach must also extend to communicating effectively about the nature of potential and emerging threats and continuing to make security a priority across the entire organization, says Elaine Varelas, Managing Partner of Keystone Associates. That includes realistic assessments of the costs and benefits of a sound security strategy.

"Organizations tend to reward people who save them the most money, but especially in the area of security, they don't always understand at what cost that's being done," Varelas says. Organizations that are security conscious enough to have a chief security officer are often more proactive about security issues, but for those that aren't, the burden often lands on the shoulders of the CIO.

"If you're trying to squeeze out a few extra bucks by hiring cheaper talent, slashing software budgets or eliminating training and education, well, in the short-term you might be rewarded. But someone must be asking the question, loudly, 'Does this increase our risk? At the highest executive level, some CEOs will say, 'Well, that's not my issue, I hired a CIO for that,' but the constant vigilance about security, risk and threats has to be spread across the entire organization, not just on the shoulders of one exec," says Varelas. CIOs must be confident enough to maintain, with the help of the CFO, the financial balancing act of risk-versus-reward so everyone understands how to make the best, most secure decisions.

"CIOs in this position must be able to communicate their beliefs about the level of security that's needed in language everyone can understand. The C-suite, executive boards, managers, entry-level workers all must understand that even if they can't see results of the security strategy immediately, that the strategy is working and the investment is paying off," she says.

Don't ignore education and training

It's not enough to simply invest in hiring security talent, though, there must be adequate resources devoted to keeping that talent on the cutting edge of security and best practices. "Sometimes executives believe that if they've hired a few people, they've solved their vulnerability problem. But it's more complex than that -- landing the talent's only half of the equation. It's about continuing education and training for that talent; defending budgets for conference attendance, educational courses and workshops. What your talent locked down and secured for you last year could be vulnerable this year. It's about more than just salary, it's a continuous investment into the best weapon you've got -- the brains behind the technology," says Weinstein.

Many organizations do understand the need for continuing IT training, especially in the areas of security, compliance and governance skills, but balk when confronted with the costs of such training, according to a survey from Cybrary, a provider of free massive open online courses (MOOCs) for IT and cybersecurity.

The survey asked 405 senior-level technology professionals about their companies' plans for IT training in 2015, according to co-founder Ryan Corey. While 61 percent of respondents said employees in their company need such training and 55 percent predicted an increased need this year and beyond, the survey revealed that most companies plan to spend the same amount of money on IT training for 2015 as they did in 2014.

Less than a quarter of survey respondents allocate 10 percent to 20 percent of their IT budgets to training, while 11 percent said they don't provide any money for IT training because it's too expensive - and that could be a costly mistake.

"The data we've compiled suggests that companies do not provide enough means for IT training, despite a lack of IT talent and ever-increasing technology and cybersecurity challenges," Corey says. "This skills gap is only getting worse, even as demand for these skills accelerates. And most cybersecurity training providers are prohibitively expensive -- even the most forward-thinking business is going to raise an eyebrow at paying $3,000 to $5,000 per class, especially because the skills taught could be obsolete almost immediately!" says Corey.

That's not to say such training isn't worth it, by any means, Corey says. "Cost is the biggest obstacle -- for employees who want and need to learn these skills but whose companies cut the training budget, or who don't offer reimbursement for courses, it's a fantastic option," he says. Cybrary also emphasizes a focus on talent from developing nations that might not have the computing resources or infrastructure available to otherwise study and address security threats.

"The cybersecurity landscape changes so quickly that it's already nearly impossible to keep up with the emerging threats without ongoing access to continuing education. You need to make awareness and education of your security talent the linchpin of your overall strategy," says Corey.

Listen to your talent

If you have the talent and you're willing to invest in their education and training, you're on the right track. But those investments won't pay off unless you're also committed to following through on their recommendations, says Mike Ricotta, head of development at Blue Fountain Media and a cybersecurity expert.

Make sure your skilled, certified, experienced security employees aren't needlessly having their work impeded by operational priorities -- because ensuring the security of your organization and its data, not to mention that of its customers, is priority number 1. Even if the expected cost of recourse for a security failure may not outweigh the costs for proactive resolution, the damage to your business's reputation and loss of customer trust can be devastating.

"If your organization is serious about ensuring security, make sure that you give your talent a voice and you take every recommendation seriously, because the one that gets compromised may very well be the one that's exploited," Ricotta says.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySecurity Leadershipwall street journal

More about Wall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sharon Florentine

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts