Lack of talent, skills often companies' biggest cybersecurity flaw

Cyber security talent and skills shortcomings can put firms at serious risk of experiencing a breach, making information security awareness campaigns an invaluable investment for just about any company.

Considering the sheer number of data breaches to make the news in recent weeks, it’s all but certain that a lot of business leaders are now reevaluating their own organizations’ cyber security capabilities. Executives, managers and owners dread the notion that their companies may be the next ones to receive this ignominious coverage.

Naturally, many of these self-audits will focus on cyber security tools, such as firewalls and anti-malware programs. But as important as these factors may be, it’s critical that companies pay even greater attention to the issue of cyber security talent and skills. As CIO recently highlighted, shortcomings in this area can put firms at serious risk of experiencing a breach, making information security awareness campaigns an invaluable investment for just about any company.

A misleading target

Part of the problem in this area is the simple fact that it can be difficult to discern the impact of cyber security awareness, skills and talent. When all goes well, there’s no obvious return – the benefit is the lack of a data breach or other incident. With that being the case, some company decision-makers tend to underestimate the importance of these factors. This can lead to myopic decision-making, as Elain Varelas, managing partner of Keystone Associates, told the news source.

Business leaders must appreciate the value of cybersecurity skills.Business leaders must appreciate the value of cyber security skills.

“If you’re trying to squeeze out a few extra bucks by hiring cheaper talent, slashing software budgets or eliminating training and education, well, in the short-term you might be rewarded,” Varelas explained, according to the source. “But someone must be asking the question, loudly, ‘Does this increase our risk?'”

In many cases, the answer will be yes. But by the time that becomes clear, the firm will quite possibly have already experienced a data breach.

The risk of complacency

Going further, the source pointed out that cyber security skills, talent and awareness must be an ongoing concern in order to ensure a company remains as protected as possible from evolving threats. Unfortunately, some firms that experience an extended period without a breach eventually come to overestimate their safety and underinvest in information security awareness training as a result.

“[I]f you’re doing security right … you’re not going to get the highly publicized failures, which you’d assume is a great thing, but that can lead to complacency – and an unwillingness to invest in skilled talent, preventative technology and education and training to keep organizations secure,” explained cyber security expert Mark Weinstein, CIO reported. “So it’s all about being able to understand threats, how they’re evolving and why, and be proactive about heading them off before they occur.”

“New, advanced cyberdefense tools and strategies are always essential.”

Advancing training

Weinstein’s emphasis on evolving threats is critical. In far too many cases, business leaders aim to address cyber security issues through one-time training and education efforts. Even if such an initiative is successful, the fact of the matter is that the most dangerous cyberthreats of today will not resemble those of tomorrow. Cybercriminals and hackers are constantly working to improve their techniques, developing more sophisticated, subtle strategies for penetrating corporate networks. As such, new, advanced cyberdefense tools and strategies are always essential.

Employees’ information security awareness plays a key role in this capacity. After all, many of the most prominent breaches of the recent past were the result of successful phishing attacks – most notably, spearphishing played a major role in the recent worldwide billion-dollar bank heist.

With ongoing employee training and cyber security awareness campaigns, however, businesses can ensure their personnel remain up-to-date on the strategies that cybercriminals are now utilizing, improving the chances that workers will resist falling victim to phishing attempts or other cyberattacks.