More organizations than ever are conducting business online. An expanding digital footprint and increasingly sophisticated cyber attacks have created a growing urgency to secure that data and the resources organizations are deploying.
It’s one reason why Gartner predicts worldwide spending on Information Security will grow to $124 billion this year. And yet, in spite of all of that spending, some security researchers estimate that the cost of cybercrime will have quadrupled since 2015, reaching $2.1 trillion by the end of 2019 and outpacing spending on cybersecurity by over 16 times.
The global threat of cybercrime
The truth is, organizations are struggling to keep up with the cybercriminal community. There are many reasons for this. Digital transformation, including cloud adoption, SD-WAN, and IoT (Internet of Things) – is creating and expanding new and sometimes unexpected means of attack.
The threat landscape continues to expand, while cyber threats are continually becoming more sophisticated. This has convinced organizations to expand their security policies and deploy more security solutions.
Unfortunately, most cybersecurity tools and strategies are simply not up to the task of protecting today’s evolving networks from increasingly sophisticated attacks. These traditional tools are not powerful enough to operate at the speeds that today’s networks demand. They aren’t integrated together, which means that they can’t effectively solve today’s problems. And these legacy tools aren’t automated enough, which means they rely on humans to respond to threats happening at digital speeds.
The growing cybersecurity skills gap crisis
The reality is that there are simply not enough skilled humans available to properly plan, manage, integrate, and optimize security devices, strategies, and protocols. According to a recent workforce development survey, 59% of organizations have unfilled cybersecurity positions, with Frost & Sullivan forecasting a shortfall of 1.5 million by 2020.
There are two reasons for this. The first is that the expansion of the digital marketplace has generated more jobs than the current supply of security professionals can meet. The second is a problem of scale; there is currently not an efficient way to create skilled security practitioners at the same rate.
Unless things change, we are looking at a potential crisis that could slow down our global digital economy and continues to put organizations and their customers and users at great risk.
Security expertise requires more than a certificate
Becoming an effective security professional requires more than knowing how to deploy and configure technology. It requires combining security theory with practical, hands-on experience. That is something that few certification solutions currently provide. To address this challenge, we need a new approach that combines the resources of private industry and public institutions.
Here are four suggestions we all need to consider:
1. We need hands-on training for people currently working in IT. Interested IT personnel should be selected and trained in cybersecurity. This can include a mentoring or apprenticeship programme within an organization, funding hands-on training in an accredited educational or industrial setting, or creating a consortium of organizations willing to work together to cross-train security professionals.
For example, at Fortinet we consider ourselves as both a technology and a learning organization. That is why we created the the Network Security Expert (NSE) certification programme, an eight-level certification programme that is helping cybersecurity professionals advance their expertise and knowledge. To date we have provided almost 200,000 certifications and are now collaborating with universities, colleges and non-profits to expand this training to the next-generation of cyber security professionals.
2. We also need to update our formal educational process and encourage more diversity among candidates. Students should be exposed to security issues at an early age. Those students that show promise should be encouraged to enter educational programmes that emphasize or specialize in cybersecurity. Special attention needs to be paid to encouraging women and minorities to participate in these programmes as they are significantly underrepresented in the cybersecurity industry and represent a very real solution to closing the cyber skills gap at scale.
In addition, organizations and governments need to sponsor technical labs for secondary education and university programs, provide mentors, fund scholarships, develop programmes targeted at socially and financially supporting women and minorities, and create cybersecurity internships. As an example of our own efforts, the Network Security Expert programme has been integrated into secondary and post-secondary programmes around the world and there are now 117 Security Academies around the world.
3. Next, we need to leverage military veterans transitioning to civilian life. Today’s modern military relies on technology, which means that transitioning military personnel already have exposure to many of the latest IT tools. Plus, they also have the security perspective trained into them. They understand things like chain of command, establishing and monitoring a fluid perimeter, following established protocols, and applying a defensive outlook to the task at hand.
4. Finally, we need to accelerate our adoption of automation and machine learning. Cybercriminals have been closing the time between a successful breach and exfiltrating data or planting a malicious tool. Based on the current state of the cyber skills shortage, we can no longer rely on humans to detect and respond to these threats fast enough. Automation and machine learning will allow security defences to respond in real time.
In addition, security tools can be trained using machine learning to take over many of the more mundane security tasks, such as patching, updating, or configuring devices. By offloading these activities to an automated system, precious security personnel can be refocused on higher order tasks, such as policy refinement and threat analysis.
We need to start today
More than ever, we all rely on the emerging digital economy. And as our organizations, government agencies, and critical infrastructures move to a digital model, a major security event could have catastrophic consequences for all of us. It is also important to remember that cybersecurity events do not care about political borders. When an infrastructure or economic system is brought down, everyone suffers.
Institutions like the World Economic Forum play a crucial role in bringing people, organizations, and governments together to solve problems with global implications, and the collective effort to mount a global response to the global threat of cybercrime must be even bigger. We need to start now to create a consensus and movement that includes committing intellectual and financial resources towards solving the growing problem of the cybersecurity skills gap. We cannot afford to wait.
—Ken Xie CEO, Fortinet