“As we peer into the future and set our sights on 2024, it’s unmistakable that the security landscape is growing increasingly complex. [And] the news may not be as sunny as we’d like it to be.”
Dr. Zvi Guterman, Founder & CEO, CloudShare
We live in what some have called a golden era for cybercriminals. Cyberattacks are both more frequent and more sophisticated, increasingly leveraging emerging technologies such as artificial intelligence and the cloud. Digital crime, meanwhile, operates at virtually every scale, with targets ranging from small businesses to entire supply chains.
This surge in cybercrime would be challenging even if everyone had a fully-staffed security team. However, we live in a world defined by an ongoing cybersecurity shortage. A world where hackers from a single country outnumber the Federal Bureau of Investigation’s cyber staff fifty to one.
To say that the situation is less than ideal would be putting it lightly. But it’s also not insurmountable. Provided you understand the reasons behind the talent shortage and use that understanding to develop an effective cybersecurity training program, you can protect both yourself and your business.
“The threat environment is constantly changing, but how businesses have responded to those threats remain largely the same. That’s not going to work anymore.”
— McKinsey & Company, Perspectives on Transforming Cybersecurity
Modern threat actors are not only more numerous, they’re also considerably more organized. In CompTIA’s State of Cybersecurity 2024 report, the vendor found that not only had the number of cybercriminals skyrocketed, but they’d also increased their organizational abilities. To make matters worse, they’re also more active than ever — 84 percent of organizations experienced one or more breaches in the past year.
To make matters worse, with more and more of the world being brought online, cyberattacks now have a far greater potential to cause catastrophic damage. This is particularly true for smaller businesses, many of which fail to survive even a single data breach.
Unfortunately, the security profession continues to lag behind. Per cybersecurity vendor Fortinet, 58 percent of organizations struggle to recruit security talent, and 54 percent struggle to retain it. By 2025, there will be a projected 3.5 million unfilled positions.
Unsurprisingly, only 25 percent of IT staff and 21 percent of businesses are satisfied with their organization’s cybersecurity — and just 27 percent felt the overall state of cybersecurity in the economy is dramatically improving.
Educated cybersecurity professionals have an unemployment rate of close to zero, while security analysts and engineers in the United States, on average, receive an annual salary in the low six figures. In an uncertain global economy, these two factors should create a surge of interest in cybersecurity careers. So why hasn’t that happened?
There are a few root causes:
Better security education is the first and most important step in addressing the cyber security skills gap. But what does that entail?
In an increasingly digital world, understanding cybersecurity is as important as understanding basic traffic safety. We as a society need to provide childhood training and education on digital safety, privacy and security. Most threat actors don’t care if they’re targeting a 6-year-old or a 60-year-old — they’re just looking for a payday.
In Verizon’s 2023 Data Breach Investigations Report, the company noted that 74 percent of data breaches are caused by human error.
In cybersecurity, people are both the weakest link and the first line of defense. It’s essential to teach employees to be more mindful and train them to recognize the signs of tactics such as phishing. However, most businesses go about it in entirely the wrong way.
They force employees to sit through long, non-interactive sessions that most people will have forgotten about by the next day. They treat their training as one-size-fits-all rather than tailoring it to each employee’s role and level of knowledge. And perhaps worst of all, they treat cybersecurity as a highly technical issue — the domain of IT above everyone else.
Organizations need to acknowledge that security is now everyone’s responsibility, and adjust their cybersecurity awareness training accordingly. That means not only providing more tailored messaging, but also breaking things down into more digestible segments that can be delivered more frequently.
Possible areas of focus include:
We also need to make training resources more accessible to anyone pursuing a career in cybersecurity. Not everyone has access to higher education, so training departments must take it upon themselves to develop internal training and certification programs. These regularly updated programs should be accessible to any employee interested in upskilling or reskilling.
“Cybersecurity is all about education,” says Kaspersky’s Head of Xtraining Yuliya Shlychkova. You need to continuously update your knowledge and your skills. But the training you use for that can’t be solely theoretical — learners need to be able to practice what they learn.”
To put it another way, there’s a difference between technical knowledge and practical experience. You can know everything there is to know about ransomware and still have no idea what to do in an actual attack. Security education cannot stop at static learning materials.
It needs to include simulation training that replicates your organization’s unique environment on demand.
Fortunately, you don’t need to create your security training material entirely from scratch. Instead, you can look at how some of the top cybersecurity certification programs are structured. The SANS Institute is an excellent starting point.
Widely regarded as one of the gold standard agencies for cybersecurity certifications, SANS employs some of the world’s top practitioners as instructors. In addition to general security training and certification, SANS also provides cybersecurity awareness training, consulting services and a comprehensive knowledge-base.
Training is only the first step. It cannot solve the talent shortage on its own. Businesses must also reexamine their hiring practices and culture.
Don’t just look at a candidate’s qualifications on paper. Assess their skills and personality alongside their knowledge. Consider using a cybersecurity lab as an onboarding tool to assess how well someone performs under pressure and how effectively they can think on their feet.
Remember that knowledge can be learned and certifications can be earned, but there’s no substitute for talent and passion.
Burnout has been an ongoing problem in cybersecurity for years. As many as 63 percent of current security professionals report that they’ve considered quitting due to stress. You need to create a supportive work environment by:
One of the most significant stressors for any security professional is tool bloat. Too many security stacks are an unsustainable, cumbersome amalgamation of patched-together tools and point solutions. That needs to change — start by identifying your organization’s core cybersecurity needs, then seek a vendor that fulfills those needs via a single platform.
Consider providing your security team with a sandbox environment in which they can test for vulnerabilities or run threat simulations.
As recognized by CloudShare’s own Dr. Guterman, combating cyber-threats requires broad collaboration not just within the cybersecurity industry, but between nations as well. At present, the greatest weakness in global cybersecurity is our own lack of unity. A world where everyone works together in the interest of better security is every cybercriminal’s worst nightmare.
Cybersecurity education is the bedrock of an effective security strategy, but its value is difficult to quantify through numbers alone. For instance, the average cost of a data breach is $4.45 million. One could argue that through better security training, a business spared itself this expense.
But that’s not entirely accurate. Nor does it touch on the true ROI of cybersecurity training, which includes:
Regardless of ROI, no business can afford to ignore cybersecurity — not anymore. Security education is now every bit as important as basic onboarding. As the world continues to move towards digital transformation and hyperconnectivity, cybersecurity training will only grow more critical.
In part, this is because even as the world continues to evolve, one thing will remain the same. No matter how sophisticated and organized threat actors become, human error will remain the root cause of almost every cyber incident. And the best way to address the human element will always be through effective education.
Book a demo today to see how CloudShare can help you create hands-on training experiences to improve cybersecurity training and hygiene.