I'm Calling BS on the Cyber Security Skills Shortage!

I've been doing this cyber industry thing for a while now. Informally for 3 years, formally for a bit over a year. I've learnt a heck of a lot from some amazing people, and I'm exposed to amazing / scary ideas, news and content every single day.

But the big focus in our industry is tech. I talk to recruiters, cyber tech companies, and companies with cyber security issues, and they talk tech.

Geez it's hard to get good tech resources they say. I need someone to run my SOC, or a Splunk expert, or a good pen tester.

Cyber criminals largely don't care - they adapted years ago, and their main target hasn't been tech for a long time!

Lets Talk Irrational

Nice and simple - most breaches are through staff. They are the primary target no doubt. Some people will quote that staff are involved in up to 98% of breaches. It doesn't matter the exact number, it's really high!

So cyber criminals are targeting staff. And what do we do? Throw more money at tech. That is irrational, pure and simple. I'm not a rocket scientist, but out of this knowledge, I'm fairly confident in saying that if you want to do better with cyber security, train your damn staff!

What's Going on Out There

Small businesses are generally unaware that untrained staff are most likely to be their downfall, and don't know about the multitude of scams we face.

Most small businesses I encounter know about 30% of the information they need to know to stay safe from IT criminals re staff awareness. That is one glaring big hole!

Generally they don't see it as a real problem, they don't want to spend the money, they'd rather take the risk. Save a few grand now, hopefully don't burn a few hundred grand later.

Bigger business is doing cookie cutter compliance training. Yep we did awareness training, tick the box, sweet! Yes, it's way better than nothing, but ask someone what they remember of the awareness training in a years time, and you'll find that you've been accepting significant risk over that time!

Some companies do face to face training. That's always going to get better engagement, but can we really expect this knowledge to last a year? How do we keep them informed of new threats? How do we keep them thinking about cyber security awareness every single day, without annoying them?

The Solution

Come on, it's obvious! Yes we need good tech, but a key requirement is well informed staff who will do these basic things:

1. Be suspicious. They need to be constantly thinking about whether something could be a scam.
2. Stop. Don't click on random stuff, don't let someone through that door, don't give out that information to someone you don't know and trust.
3. Think. Apply your knowledge critically to determine if it is a scam.
4. Act. If it's a scam, deal with it appropriately. If you're not sure, don't act - find someone to help you!

That's 99% of the battle won right there! And how do we achieve this?

• By embracing cyber security.
• By getting everyone to understand that it's part of their job now.
• By embedding it into the corporate culture, so that staff are always thinking about it, and are constantly given good timely information to keep them on their toes, but without annoying them or hindering their work.
• By rewarding staff for their efforts, and being creative and keeping it fun.
• By talking about it with our friends and family. By sharing information so that people are exposed to the different types of scams, and become more aware and knowledgeable over time.

Final Thoughts

So no, I don't think we have a cyber security skills shortage. I think we have a focus problem because we're spending most of the IT sec budget to fix the smallest issue, and that to me is nuts. Don't get me wrong, we need good tech - when we don't have that, cyber criminals will just move the goal posts again. But right now we should focus on good culture if we want to do better at this battle.

Agree / disagree? Let me know why.