- Security TWENTY
- Women in Security Awards
The agency has several recommendations: higher education should diversify its courses; government, industry and higher education should take a unified approach; the members of the EU should do more collaborations; and there’s a need for more metrics showing the extent of the problem before knowing how to combat it. As the report points out, the field of cybersecurity has grown substantially over the last decade. Cybersecurity solutions and technologies are widely available from industry and open-source communities, and security processes, standards and laws (whether the international standard for information security management, ISO 27000, or the NIST Cybersecurity Framework, or the EU’s own NIS Directive) continue to develop.
Meanwhile, as the report says, ‘there is a lack of skilled and qualified personnel in the labour market to work in cybersecurity roles and who can sufficiently address the range of cyberthreats’. That lack is two-fold; skills among the non-cyber workforce to perform cybersecurity tasks; and a lack of qualified people to fill specialist cyber roles.
In more detail, the gaps are particularly in application security, cloud computing security, security analysis and investigations, security engineering, and the administration of risk. While some cyber courses do cover the law, ethics and privacy, those topics are likely to become more important, given the EU-wide General Data Protection Regulation (GDPR) and the NIS Directive, the report says.
While the report leaves out the UK after Brexit, it states that of known cyber courses, 38 per cent were in English, 17pc in Spanish, 11pc in German, 7pc in Italian, 5pc in French, 4pc in Greek, and 4pc in Portuguese. As for diversity, cyber lacks it; courses only have about 20pc females, the report suggests, part of a more general under-representation of women in Science, Technology, Engineering and Mathematics (STEM).
The European Union Agency for Cybersecurity, ENISA, is an EU agency, based in Greece. For the full, 73-page report, visit the ENISA website.
Ilia Kolochenko, Founder of ImmuniWeb, is a member of Europol Data Protection Experts Network. He suggests that the cause of skills shortage lies in flawed cybersecurity management and strategy. “Frequently, skilled cybersecurity professionals are overwhelmed with sudden and continually changing tasks. For instance, DFIR experts can be tasked to fine-tune mobile MDM solution, while pentesters are doing SIEM log triage. Skilled cloud defenders can spend their days working with on-premises servers and systems. Every week, the pile of new problems becomes even bigger, eventually preventing cyber teams from doing their jobs effectively. In response, organizations usually hire more cybersecurity professionals – to make things even worse as they are fixing a wrong problem.
“Other organizations gradually increase their annual security budgets to acquire more cybersecurity products and services. New technologies, when added into existing infrastructure without a long-term strategy in mind, usually bring more pain than gain: their installation, integration and management is an arduous task when you operate in a multi-cloud environment connected to obsolete legacy systems hosted on premises, let alone interconnected SaaS systems with your data. For example, you may buy a state-of-the-art WAF, but due to incomplete visibility of your attack surface, it will protect just 80pc of your external web applications and APIs. Cybercriminals will undoubtedly find the rest, successfully attack them and breach your company despite doubled security spending. We shall start with strategy, people and process management, not with blindly hiring or spending more.”