Cyber attacks are on the rise during this year of uncertainty and chaos. Increased working from home, online shopping, and use of social platforms to stay connected and sane during this year have provided criminals with many attack avenues to exploit.
To mitigate the threat to their networks, systems and assets, many organizations perform some type of annual cybersecurity awareness education, as well as phishing simulations. Unfortunately, attackers are quick to adapt to changes while employees’ behavior changes slowly. Without a dramatic shift in how we educate employees about cybersecurity, all industries are going to see a rise in breaches and costs.
Changing the way people learn about cybersecurity
The average employee still doesn’t think about cybersecurity on a regular basis, because they haven’t been taught to “trust but verify,” but to “trust and be efficient.” But times are changing, and employees must be reminded on a daily basis and be aware that they (and the organization) are constantly under attack.
In the 1950s, there was a real push to increase industrial workplace safety. Worker safety and the number of days on a job site without an incident were made top of mind for all employees. How did they manage to force this shift? Through consistent messaging, with diverse ways of communicating, and by using daily reminders to ingrain the idea of security within the organization and change how it functioned.
Hermann Ebbinghaus, a German psychologist whose pioneering research on memory led to the discovery of forgetting and learning curves, explained that without regular reminders that keep learning in mind, we just forget even what’s important. One of the main goals of training must be to increase retention and overcome people’s natural tendency to forget information they don’t see as critical.
Paul Frankland, a neuroscientist and a senior fellow in CIFAR‘s Child & Brain Development program, and Blake Richards, a neurobiologist and an associate fellow in CIFAR’s Learning in Machines & Brains program, proposed that the real goal of memory is to optimize decision-making. “It’s important that the brain forgets irrelevant details and instead focuses on the stuff that’s going to help make decisions in the real world,” they said.
Right now, cybersecurity education is lost and forgotten in most employees’ brains. It has not become important enough to help them make better decisions in real-world situations.
A different kind of training is needed to become truly “cyber secure” – a training that keeps the idea of cybersecurity top of mind and part of the critical information retained in the brain.
Microlearning and gamification
Most organizations are used to relatively “static” training. For example: fire safety is fairly simple – everyone knows where the closest exit is and how to escape the building. Worker safety training is also very stagnant: wear a yellow safety vest and a hard hat, make sure to have steel toed shoes on a job site, etc.
The core messages for most trainings don’t evolve and change. That’s not the case with cybersecurity education and training: attacks are ever-changing, they differ based on the targeted demographic, current affairs, and the environment we are living in.
Cybersecurity education must be closely tied to the value and mission of an organization. It must also be adaptable and evolve with the changing times. Microlearning and gamification are new ways to help encourage and promote consistent cybersecurity learning. This is especially important because of the changing demographics: there are currently more millennials in the workforce than baby boomers, but the training methods have not altered dramatically in the last 30 years. Today’s employee is younger, more tech-savvy and socially connected. Modern training needs to acknowledge and utilize that.
Microlearning is the concept of learning or reviewing small chunks of information more frequently and repeating information in different formats. These variations, repetitions, and continued reminders help the user grasp and retain ideas for the long-term, instead of just memorizing them for a test and then forgetting them.
According to Eddinghaus, four weeks after a one-time training only 20 percent of the information originally learned is retained by the learner. Microlearning can change those numbers and increase retention to 80 or 90 percent.
Gamification amplifies specific game-playing elements within the training to include competition, points accumulation, leaderboards, badges, and battles. Gamification blends with microlearning by turning bite-sized chunks of learning into neurochemical triggers, releasing dopamine, endorphins, oxytocin, and serotonin. These chemicals help reduce stress and anxiety (sometimes associated with learning new material), increase „feel good sensations“ and feelings of connection.
Gamification increases the motivation to learn as well as knowledge recall by stimulating an area of the brain called the hippocampus. From a business perspective, 83% of employees who “receive gamified training feel motivated, while 61% of those who “receive non-gamified training feel bored and unproductive.”
Other reports indicate that companies who use gamification in their training have 60% higher engagement and find it enhances motivation by 50%. Combining microlearning with gamification helps create better training outcomes with more engaged, involved employees who remember and use the skills learned within the training.
The bad guys don’t stop learning and trying new things, meaning the good guys must, too.
Cybersecurity is increasingly central to the existence of an organization, but it’s fairly new, rapidly evolving, and often a source of fear and uncertainty in people. No one wants to admit their ignorance and yet, even cyber experts have a hard time keeping up with the constant changes in the industry. A highly supported microlearning program can help keep employees current and empower them with key decision-making knowledge.
26% of remote workers have experienced a cyber attack personally, while 45% of employers have asked their employees to use their personal devices for work since the start of the pandemic, according to a Microsoft research.
The study surveyed 500 employees and 200 business decision makers in September 2020 about remote working, digital security behaviours, and the worries they now face.
The accelerated transition to homeworking is placing pressure on organizations to support the unavoidable blending of personal and professional lives more than ever before.
However, this naturally creates new risks, including the increased risk of cyber attacks. This was reflected in the research which showed that only 17% of remote workers currently believe that the software and technology provided has done enough to protect their data.
This could be in some way due to the pace at which employers had to transition to remote working environments, with 36% of employers admitting they have spent the past few months putting in place the security, privacy, and workplace procedures required for today’s remote working world.
Remote workers’ information protection concerns
76% of workers were surprised with how well they had adapted to remote working. However, one in five employees feel their data is more vulnerable when working from home due to the absence of regular IT supports.
The research points to some potentially dangerous cybersecurity issues amongst remote workers:
- Personal emails: 30% of workers still use personal email accounts to share confidential work materials.
- Poor password hygiene: One third of workers use the same password to log into work and personal devices.
- Unregulated access: 43% face/navigate no security restrictions when accessing work-related documents and materials remotely.
Employers’ security management concerns
One of the most concerning findings is that organizations are potentially side-stepping their own security procedures in the name of expediency:
- Reactive approach: One third of employers acknowledge they are exposed since they had to make remote-working decisions and transitions so quickly.
- Lack of devices: 45% of employers have had to ask their employees to use their personal devices for work purposes since the start of the pandemic.
- No remote BYOD policies: 42% of employers are yet to secure those remote employee’s personal devices.
Furthermore, 41% of employers acknowledge it has become increasingly difficult to remain GDPR compliant because of the pandemic.
The report identified an escalation in both the level and sophistication of attacks. For example:
- Over 13bn malicious and suspicious mails were blocked, out of which more than 1bn were URLs set up for the explicit purpose of phishing credential attacks in 2019.
- Ransomware is the most common reason behind Microsoft’s incident response engagements from October 2019 through July 2020.
- The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.
Des Ryan, Solutions Director for Microsoft Ireland, said: “Cyber hackers are opportunistic, skilled, and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.
“While our physical work locations may have changed, our responsibilities in protecting organizational data and complying to data regulations have not. Now is the time to address this with an increased investment in cybersecurity, secure devices, tighter policies, increased support, and education for employees so they can play an important role in not only protecting themselves but also their organizations.”
Cloud-based services and hybrid working
When asked about the future, 58% believe they will have a hybrid workforce in future as more staff work from home more of the time and others are in the office.
57% felt more positive about using cloud-based services, including productivity tools.
Remote priorities: Training, support and investment
However, the research shows that Irish organizations understand there is a gap with 41% admitting they are behind the curve when it comes to having the right digital services and technologies in place to deal with new working realities.
As a result of the move to remote working, employers are focused on investment in digital security. The research found:
- 38% of organizations have already increased the level and detail of cybersecurity training for staff who are working from home.
- A further 52% will prioritise investing in training in 2021.
- 44% of workers would also welcome alternatives to passwords, with biometric verification (fingerprint or facial recognition) being the most popular options.
The Executive MBA Council (EMBAC) published research which addresses how business education needs to evolve to keep pace with changing demands and expectations about professional development from both students and their employers over the next five years and beyond.
The study draws on new original qualitative research from in-depth interviews with relevant decision makers at international business schools and within major employers who invest in working professional development. It also involved a survey of over 300 individual learners who were looking to take business school courses in the next five years.
“The relationship between employees and employers has been evolving for some time, and this study opens up what that means for the future of working professional education. Economic uncertainty, online learning, lifelong development, remote working, and digital transformation in business schools and other organizations are not new.
“However, the global pandemic is accelerating these trends. Our sector will benefit from a healthy and honest debate about how future ways of learning and work can help leaders in business and business education find new answers to the problems of our time,” said Michael Desiderio, executive director of EMBAC.
Working professional education: Key findings
- 38% of individual learners said they rated blended learning (face to face and online) as their ideal skills development path for the next five years.
- When choosing a business school, the top requirements are flexibility in how learning is delivered (45%), how much the school embraces digital transformation (42%) and how much the program will accelerate career prospects (37%).
- More than three quarters of employer respondents believe that business schools need to develop short, inexpensive programs that deliver relevant skills for those working and be clear about how their offer positively impacts our wider society, not just the business industry.
- While employers agree that leadership remains an important skill for development, new leadership models are emerging that have stronger roots in “soft skills” such as emotional intelligence, more agility and conscious, continuous learning.
- Employers also point out that as the workforce ages, one of the most frequently sought-after development programs is how to manage effectively across generations since attitudes and lifestyles can vary significantly.
Fundamental shifts in the workforce were already taking place
While the COVID-19 may have accelerated change in the workforce, fundamental shifts were already taking place. There is no one-size fits all solution with the different circumstances – economic, political and social – having a significant impact on the approach that a school decides to take.
However, it is clear that institutions will need to evolve from the focus on quantity of degrees awarded to becoming a learning partner to companies and organizations; keenly understanding the needs of both the workforce and individual industries.
Seventy-three percent of health system, hospital and physician organizations report their infrastructures are unprepared to respond to attacks. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.
Black Book Market Research surveyed 2,464 security professionals from 705 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks.
Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.
With the healthcare industry estimated to spend $134 billion on cybersecurity from 2021 to 2026, $18 billion in 2021, increasing 20% each year to nearly $37 billion in 2026, 82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.
Talent shortage for cybersecurity pros continues
Additionally, 291 healthcare industry human resources executives were surveyed to determine the organizational supply and demand of experienced cybersecurity candidates. On average, cybersecurity roles in health systems take 70% longer to fill than other IT jobs.
Health systems are struggling to find workers that request cybersecurity-related skills as vacancy duration as reported by survey HR respondents average about 118 days to fill positions, nearly three times as high as the national average for other industries.
“The talent shortage for cybersecurity experts with healthcare expertise is nearing a very perilous position,” said Brian Locastro, lead researcher on the 2020 State of the Healthcare Cybersecurity Industry study by Black Book Research.
Seventy-five percent of the sixty-six-health system CISOs responding agreed that experienced cybersecurity professionals are unlikely to choose a healthcare industry career path because of one main reason.
More than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy making authority.
COVID-19 has greatly increased risk of data breaches
Healthcare cybersecurity has become more complicated as providers are forced to deal with the COVID-19 pandemic. Understaffed and underfunded IT security departments are scrambling to accommodate the surge in demand of remote services from patients and physicians while simultaneously responding to the surge in security risks.
The survey found 90% of health systems and hospital employees who shifted to working at home due to the pandemic, did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems
“Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem,” said Locastro.
Forty percent of all clinical hospital employees receive little or no cybersecurity awareness training still in 2020, beyond initial education on log in access.
Fifty-nine percent of health system CIOs surveyed are shifting security strategies to address user authentication and access as malicious incidents and hackers are the 2020 attacker’s go-to entry point of choice for health systems.
Stolen and compromised credentials were ongoing issues for 53% of health systems surveyed as hackers are increasingly using cloud misconfigurations to breach networks.
Cybersecurity consulting and advisory services are in high demand
Sixty-nine percent of 219 C-Suite respondents state their health system’s budget for cybersecurity consulting is increasing in 2021 to assess gaps, secure network operations, and user security on-premises and in the cloud.
“In today’s highly competitive cybersecurity market there isn’t enough talent to staff hospitals and health systems,” said Locastro.
“As provider organizations struggle with recruit, hire and retain in house staff, the plausible choice is retaining an experienced advisory firm that is capable of identifying and remediating hidden security vulnerabilities, which appeals to the strategic and economic sense of boards and CEOs.”
Healthcare cybersecurity challenges find resolutions from outsourced services
“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” said Locastro. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”
That shortage of healthcare cybersecurity professionals and a lack of appropriate technology solutions implemented is forcing a rush to acquire services and outsourcing at a pace five times more than the acquisition of cybersecurity products and software solutions.
Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of managed services.
“The key place to start when choosing a cybersecurity services vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best-suited vendor,” said Locastro.
“Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”
Fifty-one percent of in-house IT management respondents with purchasing authority report their group is e not aware of the full variety of cybersecurity solution sets that exist, particularly mobile security environments, intrusion detection, attack prevention, forensics and testing in various healthcare settings.
Cybersecurity in healthcare provider organizations remains underfunded
The amount of dollars that are actually spent on healthcare industry cybersecurity products and services are increasing, averaging 21% year over year since 2017. Extended estimates have estimated nearly $140 Billion will be spent by health systems and health insurers by 2026.
However, 82% of hospital CIOs in inpatient facilities under 150 staffed beds and 90% of practice administrators collectively state they are not even close to spending an adequate amount on protecting patient records from a data breach.
“Outdated IT systems, fewer cybersecurity protocols, untrained IT staff on evolving security skills, and data-rich patient files are making healthcare the current target of hacker attacks,” said Locastro. “And the willingness of hospitals and physician practices to pay high ransoms to regain their data quickly motivates hackers to focus on patient records.”
“Threats are now four times more likely to be centered on healthcare than any other industry, and ransomware attacks are increasing in popularity because of the amount of privileged information the hacker can obtain,” said Locastro.
“Providers at the point-of-care haven’t kept pace with the cybersecurity progress and tools that manufacturers, IT software vendors, and the FDA have made either.”
Healthcare consumers willing to change providers if patient privacy was comprised
Eighty percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry in 2020.
Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. Twenty-six percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year.
“Medical and financial leaders have wielded more influence over organizational budgets and made it difficult for IT management to implement needed cybersecurity practices despite the existing environment, but now consumers are beginning to react negatively to the provider’s lack of protection solutions.”
A poll of 3,500 healthcare consumers that used medical or hospital services in the last eighteen months revealed 93% would leave their provider if their patient privacy was comprised in an attack that could have been prevented.
For the first time, there’s a year-over-year reduction in the cybersecurity workforce gap, due in part to increased talent entry into the field and uncertain demand due to the economic impact of COVID-19, (ISC)² finds.
The research, conducted from mid-April through June 2020, also provides insights from cybersecurity professionals about their organizations’ COVID-19 pandemic response, and the massive effort required to quickly and securely transition their staffs to remote working environments.
Decrease in the global cybersecurity workforce shortage
The study reveals that the cybersecurity profession experienced substantial growth in its global ranks, increasing to 3.5 million individuals currently working in the field, an addition of 700,000 professionals or 25% more than last year’s workforce estimate.
The research also indicates a corresponding decrease in the global workforce shortage, now down to 3.12 million from the 4.07 million shortage reported last year. Data suggests that employment in the field now needs to grow by approximately 41% in the U.S. and 89% worldwide in order to fill the talent gap, which remains a top concern of professionals.
In a historically unprecedented year, the study also focused on how security teams and professionals were impacted by COVID-19. The data shows that 30% of cybersecurity professionals faced a deadline of one day or less to transition their organizations’ staff to remote work and to secure their newly transformed IT environments.
92% of respondents indicated that their organization was “somewhat” or “very” prepared to respond, and just 18% saw security incidents increase during this time.
“The response to COVID-19 by the community and their ability to help securely migrate entire organizational systems to remote work, almost overnight, has been an unprecedented success and a best-case scenario in a lot of ways. Cybersecurity professionals rose to the challenge and solidified their value to their organizations.”
- Job satisfaction rates increased year-over-year, with 75% of respondents saying they are either “somewhat” or “very” satisfied
- The average annual cybersecurity salary is highest in North America at $112,000
- 56% of respondents say their organizations are at risk due to cybersecurity staff shortages
- Cybersecurity practitioners are concerned that security budgets will be impacted by revenue losses related to COVID-19. 54% are concerned about personnel spending while 51% are concerned about technology spending
- 23% said that they or a peer had been laid off as a result of the pandemic
- 78% of cybersecurity professionals who still need to work from an office say they are either “somewhat” or “very” concerned about their personal safety in relation to COVID-19
- Cloud computing security is far and away the most in-demand skillset, with 40% of respondents indicating they plan to develop it over the next two years
- Just 49% of those in the field hold degrees in computer and information sciences, highlighting the fact that many of the professionals responsible for cybersecurity come from other areas of expertise
43% of C-suite executives and 12% of small business owners (SBOs) have experienced a data breach, according to Shred-it.
While businesses are getting better at protecting their customers’ personal and sensitive information, their focus on security training and protocols has declined in the last year. This decline could pose issues for businesses, as 83% of consumers say they prefer to do business with companies who prioritize protecting their physical and digital data.
The findings reinforce the need for business owners to have data protection policies in place as threats to data security, both physical (including paper documents, laptop computers or external hard drives) and digital (including malware, ransomware and phishing scams), have outpaced efforts and investments to combat them.
The report, which was completed prior to COVID-19, also exposes that more focus is needed around information security in the home, where C-suites and SBOs feel the risk of a data breach is higher.
While advancements in technology have allowed businesses to move their information to the cloud, only 7% of C-suites and 18% of SBOs operate in a paperless environment. Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signaling a need for oversight of physical information and data security.
Having policies in place can mitigate the risk of physical security breaches
C-suites and SBOs indicated external threats from vendors or contractors (25% C-suites; 18% SBOs) and physical loss or theft of sensitive information (22% C-suites, 19% SBOs) are the top information security threats facing their business.
Yet, the number of organizations with a known and understood policy for storing and disposing of confidential paper documents adhered to by all employees has declined 13% for C-suites (73% in 2019 to 60% in 2020) and 11% for SBOs (57% in 2019 to 46% in 2020).
In addition, 49% of SBOs have no policy in place for disposing of confidential information on end-of-life electronic devices.
While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into work-from-home status, many without supporting policies.
77% of C-suites and 53% of SBOs had employees who regularly or periodically work off-site. Despite this trend, 53% of C-suites and 41% of SBOs have remote work policies in place that are strictly adhered to by employees working remotely (down 18% from 71% in 2019 for C-suites; down 8% from 49% in 2019 for SBOs).
“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and CEO, Stericycle.
“As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach.”
Better training on security procedures and policies is needed
When it comes to training, 24% of C-suites and 54% of SBOs reported having no regular employee training on information security procedures or policies.
Additionally, the number of organizations that regularly train employees on how to identify common cyber-attack tactics, such as phishing, ransomware or other malicious software, declined 6% for C-suites (from 88% in 2019 to 82% in 2020) and 7% for SBOs (from 52% in 2019 to 45% in 2020).
“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, VP of data protection, Stericycle.
“To protect businesses now and for the long haul, it’s instrumental that leaders reevaluate information security training and protocols to adjust to our changing world and maintain consumer trust.”
Businesses deal with data security and declining consumer trust
While many U.S. businesses feel they are getting better at protecting sensitive information, declining consumer trust and increased expectations may impact the bottom line.
- 86% of consumers are concerned that private, personal information about them is present on the internet.
- 24% of consumers would stop doing business with a company if their personal information was compromised in a data breach. Beyond losing their loyalty, consumers would lose trust in the business (31%) and demand to know what the business is doing to prevent future breaches (31%).
- 38% consumers trust that all physical and digital data breaches are properly disclosed to consumers (up 4% from 34% in 2019).
Businesses are reducing focus on policies for disposing of confidential information despite physical theft and vendor threats being top risks.
- While 60% of C-suites and 46% of SBOs have a known and understood policy for storing and disposing of confidential paper documents, strict employee adherence to these policies has declined from 2019. Down 13% from 73% in 2019 for C-suites and down 11% from 57% in 2019 for SBOs.
- Additionally, 10% of C-suites and 38% of SBOs admit they have no policies in place for disposing of confidential paper documents, up 4% for C-suites (from 10% in 2019) and 8% for SBOs (from 30% in 2019).
Remote work has increased over the years, but information security policies are lacking.
- Prior to the COVID-19 pandemic, 45% of small businesses did not have a policy for storing and disposing of confidential information when employees work off-site from the office.
- A secondary study found that 75% of employees own a home printer that they use to print work documents and 43% print work-related documents weekly.
While almost 95 percent of cybersecurity issues can be traced back to human error, such as accidentally clicking on a malicious link, most governments have not invested enough to educate their citizens about the risks, according to a report from the Oliver Wyman Forum.
Cyber risk literacy of the population
Cyber literacy, along with financial literacy, is a new 21st century priority for governments, educational institutions, and businesses.
“The situation has become even more pressing during the pandemic as our reliance on the internet has grown. Yet many citizens still lack the basic skills to keep themselves, their communities, and their employers safe.”
50 geographies were assessed, including the European Union, on the present cyber risk literacy of its population, and the nature of related education and training available to promote and enable future cyber risk literacy.
Specifically, the Index measures five key drivers of cyber risk literacy and education: the public’s motivation to practice good cybersecurity hygiene; government policies to improve cyber literacy; how well cyber risks are addressed by education systems; how well businesses are raising their employees cyber skills, and the degree to which digital access and skills are shared broadly within the population.
How are assessed countries doing?
Switzerland, Singapore and the UK topped the list because of their strong government policies, education systems and training, practical follow through and metrics as well as population motivation to reduce risk.
Switzerland, the number one ranked country, has a comprehensive implementation document that lays out specific responsibilities along with what national or provincial legislation is required. Specific milestones are set, and timelines are assigned to ensure accountability regardless of who oversees the government.
Singapore, which is ranked second, has prioritized cybersecurity education efforts from early childhood to retirees. It established the Cyber Security Agency of Singapore to keep its cyberspace safe and secure. Its cyber wellness courses occur over multiple grades and focus on social and practical safety tips such as understanding cyber bullying.
The UK ranked third, has the most integrated cyber system because it incorporates cyber risk into both primary and secondary education. The UK’s National Cyber Security Strategy of 2016-2021 is also one of the strongest plans globally. The US ranked 10th.
Countries that rank lower lack an overall national strategy and fail to emphasize cyber risk in schools. Some countries in emerging markets are only beginning to identify cybersecurity as a national concern.
“Governments that want to improve the cyber risk literacy of their citizens can use the index to strengthen their strategy by way of adopting new mindsets, trainings, messaging, accessibility and best practices,” Mee added. “With most children using the internet by the age of four, it is never too early to start teaching your citizens to protect themselves.”
Despite highly publicized risks of data-sharing and AI, from facial recognition to political deepfakes, leadership at many organizations seems to be vastly underestimating the ethical challenges of the technology, NTT DATA Services reveals.
Just 12% of executives and 15% of employees say they believe AI will collect consumer data in unethical ways, and only 13% of executives and 19% of employees say AI will discriminate against minority groups.
Surveying 1,000 executive-level and non-executive employees across industries in North America in early 2020, the results indicate that organizations are eager to increase the pace of transformation.
AI and automation technologies play a vital role, helping businesses improve decision-making, business processes and even workplace culture. In fact, 61% say that AI will speed up innovation, and respondents say the technology is beginning to support improvements to efficiency (83%) and productivity (79%). Yet, there are many challenges with adoption and implementation, with ethical considerations and data security among the top few.
“AI presents one of the great leadership opportunities and challenges of our time. Leaders must be diligent in striking the balance, but they don’t have to go it alone,” said Eric Clark, Chief Digital Officer, NTT DATA Services.
“Our study outlines how businesses can take full advantage of emerging technologies and accelerate transformation, while taking necessary precautions on the path to responsible and secure adoption of artificial intelligence.”
Ethics and effectiveness of AI
For AI to be effective and avoid ethical pitfalls, businesses need to ensure that AI isn’t being programmed with biases that could lead to ethically charged decision-making or that cause AI to malfunction in some way.
One-quarter of executives and 36% of employees say they have experienced AI ignoring a command, and about one-fifth of both groups say AI offered them suggestions that reflected bias against a marginalized group.
Organizations do not have money or time to waste on technology investments gone wrong—so they must pivot their organizations to focus on agility, talent, change management, ethics, and other pressing issues.
Automation’s impact on the modern workforce
Modernizing the workforce means giving all employees access to the data and technologies that help them achieve optimum productivity. Most executives and employees believe that AI and automation will help improve employee effectiveness.
71% of executives say AI will make employees more efficient, 69% say it will improve employee accuracy, and 61% say it will speed up innovation. For this to happen, leaders need to invest in reskilling their workforce to get the most value out of emerging technologies.
Empowering the workforce through technology not only helps improve the bottom line, it helps drive employee retention – with 45% of employees responding they would be motivated to stay by education opportunities.
“The study overall paints a realistic picture of what we are seeing in the market,” said Tom Reuner, Senior Vice President at HFS Research.
“Going forward, enterprises will have to manage talent, organization, culture and provide the right environment for the new workforce, which seeks interesting projects and looks for meaning and motivation. AI technologies and methodologies are a critical enabler on that journey.”
AI adoption to create culture of speed, reinvention
Businesses and entire markets are being remade in terms of opportunity, operations and customer expectations, and there is no going back to the old pace of innovation. In fact, 47% of those surveyed believe failing to implement AI in some way will cause them to lose customers to competitors, and 44% think the bottom line will suffer.
However, few employees at companies surveyed think the pace of change at their organization is fast enough. In fact, less than one-third of executives and employees describe the pace of technology change, process change, or executive decision-making at their company as fast.
Even fewer—just 18% of employees and 19% of executives—say culture, which plays a major role in determining how workers respond to adjustments in technology and processes, changes quickly. This creates an opportunity for AI to drive sweeping change and speed up the pace of innovation and technology adoption.
For better or for worse, the global COVID-19 pandemic has confined most of us to our own countries (our houses and apartments, even), has changed how and from where we do our work, and has restricted our social lives.
The distractions and tools still available to help us battle our growing anxiety and sadness are few, but some of them, such as learning new things, are very powerful. Happily for all of us, many courses and trainings that were previously available only on-site are now virtual, opening new prospects and opportunities.
Among these new offerings is HITBSecTrain, an initiative launched by the organizers of Hack in the Box security conference, which has been offering deep-knowledge technical trainings in numerous cities (including Kuala Lumpur, Singapore, Amsterdam, Dubai, Bahrain, and Beijing) since 2003.
Known for featuring specialized security courses, HITB has worked with nearly 100 trainers across the years to offer cool, atypical trainings for security folks looking to hone their skills.
Now, in response to constant feedback from trainees who asked that HITB offer more specialized topics, more subject matter experts, more often in the year, they’ve set up HITBSecTrain, which will offer HITB trainings on a monthly basis instead of just during HITB conference events.
In October, the courses on offer taught attendees about big data analytics, malware reverse-engineering and threat hunting, bug hunting and cloud security.
In November, to coincide with the virtual edition of HITBCyberWeek 2020, 10 deep-knowledge technical trainings are being offered, covering topics such as: 5G security awareness, practical malware analysis and memory forensics, mobile hacking, secure coding and DevSecOps, applied data science and machine learning for cybersecurity, and more.
For now, while courses run virtual, classes are via livestream, with virtual lab environments and structured through a learning management system. All trainees will receive digital certs corresponding to their course choice, with additional badges awarded for completion of practical tests and quizzes.
With the new virtual format, HITB trainers are incorporating more interactive quizzes, collective exercises and practical assessments into their courses that will help trainees engage better with the content and with each other. This will also help to understand better whether trainees have effectively gained the skills they sought from their course.
Despite 88% of cybersecurity professionals believing automation will make their jobs easier, younger staffers are more concerned that the technology will replace their roles than their veteran counterparts, according to a research by Exabeam.
Overall, satisfaction levels continued a 3-year positive trend, with 96% of respondents indicating they are happy with role and responsibilities and 87% reportedly pleased with salary and earnings. Additionally, there was improvement in gender diversity with female respondents increasing from 9% in 2019 to 21% this year.
“The concern for automation among younger professionals in cybersecurity was surprising to us. In trying to understand this sentiment, we could partially attribute it to lack of on-the-job training using automation technology,” said Samantha Humphries, security strategist at Exabeam.
“As we noted earlier this year in our State of the SOC research, ambiguity around career path or lack of understanding about automation can have an impact on job security. It’s also possible that this is a symptom of the current economic climate or a general lack of experience navigating the workforce during a global recession.”
AI and ML: A threat to job security?
Of respondents under the age of 45, 53% agreed or strongly agreed that AI and ML are a threat to their job security. This is contrasted with just 25% of respondents 45 and over who feel the same, possibly indicating that subsets of security professionals in particular prefer to write rules and manually investigate.
Interestingly, when asked directly about automation software, 89% of respondents under 45 years old believed it would improve their jobs, yet 47% are still threatened by its use. This is again in contrast with the 45 and over demographic, where 80% believed automation would simplify their work, and only 22% felt threatened by its use.
Examining the sentiments around automation by region, 47% of US respondents were concerned about job security when automation software is in use, as well as SG (54%), DE (42%), AUS (40%) and UK (33%).
In the survey, which drew insights from professionals throughout the US, the UK, AUS, Canada, India and the Netherlands, only 10% overall believed that AI and automation were a threat to their jobs.
On the flip side, there were noticeable increases in job approval across the board, with an upward trend in satisfaction around role and responsibilities (96%), salary (87%) and work/life balance (77%).
Diversity showing positive signs of improvement
When asked what else they enjoyed about their jobs, respondents listed working in an environment with professional growth (15%) as well as opportunities to challenge oneself (21%) as top motivators.
53% reported jobs that are either stressful or very stressful, which is down from last year (62%). Interestingly, despite being among those that are generally threatened by automation software, 100% of respondents aged 18-24 reported feeling secure in their roles and were happiest with their salaries (93%).
Though the number of female respondents increased this year, it remains to be seen whether this will emerge as a trend. This year’s male respondents (78%) are down 13% from last year (91%).
In 2019, nearly 41% were in the profession for at least 10 years or more. This year, a larger percentage (83%) have 10 years or less, and 34% have been in the cybersecurity industry for five years or less. Additionally, one-third do not have formal cybersecurity degrees.
“There is evidence that automation and AI/ML are being embraced, but this year’s survey exposed fascinating generational differences when it comes to professional openness and using all available tools to do their jobs,” said Phil Routley, senior product marketing manager, APJ, Exabeam.
“And while gender diversity is showing positive signs of improvement, it’s clear we still have a very long way to go in breaking down barriers for female professionals in the security industry.”
As many business leaders look to close the skills gap and cultivate a sustainable workforce amid COVID-19, an IBM Institute for Business Value (IBV) study reveals less than 4 in 10 human resources (HR) executives surveyed report they have the skills needed to achieve their enterprise strategy.
COVID-19 exacerbated the skills gap in the enterprise
Pre-pandemic research in 2018 found as many as 120 million workers surveyed in the world’s 12 largest economies may need to be retrained or reskilled because of AI and automation in the next three years.
That challenge has only been exacerbated in the midst of the COVID-19 pandemic – as many C-suite leaders accelerate digital transformation, they report inadequate skills is one of their biggest hurdles to progress.
Employers should shift to meet new employee expectations
Ongoing consumer research also shows surveyed employees’ expectations for their employers have significantly changed during the COVID-19 pandemic but there’s a disconnect in how effective leaders and employees believe companies have been in addressing these gaps.
74% of executives surveyed believe their employers have been helping them learn the skills needed to work in a new way, compared to just 38% of employees surveyed, and 80% of executives surveyed said their company is supporting employees’ physical and emotional health, but only 46% of employees surveyed agreed.
“Today perhaps more than ever, organizations can either fail or thrive based on their ability to enable the agility and resiliency of their greatest competitive advantage – their people,” said Amy Wright, managing partner, IBM Talent & Transformation.
“Business leaders should shift to meet new employee expectations brought on by the COVID-19 pandemic, such as holistic support for their well-being, development of new skills and a truly personalized employee experiences even while working remotely.
“It’s imperative to bring forward a new era of HR – and those companies that were already on the path are better positioned to succeed amid disruption today and in the future.”
The study includes insights from more than 1,500 global HR executives surveyed in 20 countries and 15 industries. Based on those insights, the study provides a roadmap for the journey to the next era of HR, with practical examples of how HR leaders at surveyed “high-performing companies” – meaning those that outpace all others in profitability, revenue growth and innovation – can reinvent their function to build a more sustainable workforce.
- Nearly six in 10 high performing companies surveyed report using AI and analytics to make better decisions about their talent, such as skilling programs and compensation decisions. 41% are leveraging AI to identify skills they’ll need for the future, versus 8% of responding peers.
- 65% of surveyed high performing companies are looking to AI to identify behavioral skills like growth mindset and creativity for building diverse adaptable teams, compared to 16% of peers.
- More than two thirds of all respondents said agile practices are essential to the future of HR. However, less than half of HR units in participating organizations have capabilities in design thinking and agile practices.
- 71% of high performing companies surveyed report they are widely deploying a consistent HR technology architecture, compared to only 11% of others.
“In order to gain long-term business alignment between leaders and employees, this moment requires HR to operate as a strategic advisor – a new role for many HR organizations,” said Josh Bersin, global independent analyst and dean of the Josh Bersin Academy.
“Many HR departments are looking to technology, such as the cloud and analytics, to support a more cohesive and self-service approach to traditional HR responsibilities. Offering employee empowerment through holistic support can drive larger strategic change to the greater business.”
Three core elements to promote lasting change
According to the report, surveyed HR executives from high-performing companies were eight times as likely as their surveyed peers to be driving disruption in their organizations. Among those companies, the following actions are a clear priority:
- Accelerating the pace of continuous learning and feedback
- Cultivating empathetic leadership to support employees’ holistic well-being
- Reinventing their HR function and technology architecture to make more real-time data-driven decisions
As the Information Age slowly gives way to the Fourth Industrial Revolution, and the rise of IoT and IIoT, on-demand availability of computer system resources, big data and analytics, and cyber attacks aimed at business environments impact on our everyday lives, there’s an increasing need for knowledgeable cybersecurity professionals and, unfortunately, an increasing cybersecurity workforce skills gap.
The cybersecurity skills gap is huge
A year ago, (ISC)² estimated that the global cybersecurity workforce numbered 2.8 million professionals, when there’s an actual need for 4.07 million.
According to a recent global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group (ESG), there has been no significant progress towards a solution to this problem in the last four years.
“What’s needed is a holistic approach of continuous cybersecurity education, where each stakeholder needs to play a role versus operating in silos,” ISSA and ESG stated.
Those starting their career in cybersecurity need many years to develop real cybersecurity proficiency, the respondents agreed. They need cybersecurity certifications and hands-on experience (i.e., jobs) and, ideally, a career plan and guidance.
Continuous cybersecurity training and education are key
Aside from the core cybersecurity talent pool, new job recruits are new graduates from universities, consultants/contractors, employees at other departments within an organization, security/hardware vendors and career changers.
One thing they all have in common is the need for constant additional training, as technology advances and changes and attackers evolve their tactics, techniques and procedures.
Though most IT and security professionals use their own free time to improve their cyber skills, they must learn on the job and get effective support from their employers for their continued career development.
Times are tough – there’s no doubt of that – but organizations must continue to invest in their employee’s career and skills development if they want to retain their current cybersecurity talent, develop it, and attract new, capable employees.
“The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles,” noted Deshini Newman, Managing Director EMEA, (ISC)².
Certifications show employers that cybersecurity professionals have the knowledge and skills required for the job, but also indicate that they are invested in keeping pace with a myriad of evolving issues.
“Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities,” she pointed out.
78% of SMBs indicated that having a privileged access management (PAM) solution in place is important to a cybersecurity program – yet 76% of respondents said that they do not have one that is fully deployed, a Devolutions survey reveals.
While it’s a positive trend that the majority of SMBs recognize the importance of having a PAM solution, the fact that most of the respondents don’t have a PAM solution in place reflects that there is inertia when it comes to deployment.
SMBs are not immune, company size doesn’t protect from cyberattacks
Global cybercrime revenues have reached $1.5 trillion per year. And according to IBM, the average price tag of a data breach is now $3.86 million per incident. Despite these staggering figures, there remains a common (and inaccurate) belief among many SMBs that the greatest security vulnerabilities exist in large companies.
However, there is mounting evidence that SMBs are more vulnerable than enterprises to cyberthreats – and the complacency regarding this reality can have disastrous consequences.
“SMBs must not assume that their relative smaller size will protect them from cyberattacks. On the contrary, hackers, rogue employees and others are increasingly targeting SMBs because they typically have weaker – and, in some cases, virtually non-existent – defense systems.
“SMBs cannot afford to take a reactive wait-and-see approach to cybersecurity because they may not survive a cyberattack. And even if they do, it could take several years to recover costs, reclaim customers and repair reputation damage,” said Devolutions CEO David Hervieux.
Key findings from the survey
To dig deeper into the mindset of SMBs about cybersecurity, Devolutions conducted a survey of 182 SMBs from a variety of industries – including IT, healthcare, education, and finance. Some notable findings include:
- 62% of SMBs do not conduct a security audit at least once a year – and 14% never conduct an audit at all.
- 57% of SMBs indicated they have experienced a phishing attack in the last three years.
- 47% of SMBs allow end users to reuse passwords across personal and professional accounts.
These findings reinforce the need for better cybersecurity education for smaller companies.
“Conducting this survey reaffirmed to us that while progress is being made, there is a still a lot of work to do for many SMBs to protect themselves from cybercrime. We plan to conduct a survey like this each year so that we can identify the most current trends and in turn help our customers address their most pressing needs,” added Hervieux.
Protect from cyberattacks: The role of MSPs
One way for SMBs to close the cybersecurity gap is to seek out a trusted managed service provider (MSP) for guidance and implementation of cybersecurity solutions, monitoring and training programs. Because SMBs do not typically have huge IT departments like their enterprise counterparts, they often look to outside resources.
MSPs have an opportunity to strengthen their relationship with existing customers and expand their client base by becoming cyber experts who can advise SMBs on various cybersecurity issues, trends and solutions – as well as offer the ability to promptly respond to any security incidents that may arise and take swift action.
“We expect more and more MSPs will be adding cybersecurity solutions and expertise to their portfolio of offerings to meet this demand,” Hervieux concluded.
Prevent privileged account abuse
Organizations must keep critical assets secure, control and monitor sensitive information and privileged access, and vault and manage business-user passwords – all while ensuring that employees are productive and efficient. This is not an easy task for SMBs without the right solution in place.
Many PAM and password management solutions on the market are prohibitively expensive or too complex for what SMBs need.
Organizations are building confidence that their cybersecurity practices are headed in the right direction, aided by advanced technologies, more detailed processes, comprehensive education and specialized skills, a research from CompTIA finds.
Eight in 10 organizations surveyed said their cybersecurity practices are improving.
At the same time, many companies acknowledge that there is still more to do to make their security posture even more robust. Growing concerns about the number, scale and variety of cyberattacks, privacy considerations, a greater reliance on data and regulatory compliance are among the issues that have the attention of business and IT leaders.
Two factors – one anticipated, the other unexpected – have contributed to the heightened awareness about the need for strong cybersecurity measures.
“The COVID-19 pandemic has been the primary trigger for revisiting security,” said Seth Robinson, senior director for technology analysis at CompTIA. “The massive shift to remote work exposed vulnerabilities in workforce knowledge and connectivity, while phishing emails preyed on new health concerns.”
Robinson noted that the pandemic accelerated changes that were underway in many organizations that were undergoing the digital transformation of their business operations.
“This transformation elevated cybersecurity from an element within IT operations to an overarching business concern that demands executive-level attention,” he said. “It has become a critical business function, on par with a company’s financial procedures.”
As a result, companies have a better understanding of what do about cybersecurity. Nine in 10 organizations said their cybersecurity processes have become more formal and more critical.
Two examples are risk management, where companies assess their data and their systems to determine the level of security that each requires; and monitoring and measurement, where security efforts are continually tracked and new metrics are established to tie security activity to business objectives.
IT teams foundational skills
The report also highlights how the “cybersecurity chain” has expanded to include upper management, boards of directors, business units and outside firms in addition to IT personnel in conversations and decisions.
Within IT teams, foundational skills such as network and endpoint security have been paired with new skills, including identity management and application security, that have become more important as cloud and mobility have taken hold.
On the horizon, expect to see skills related to security monitoring and other proactive tactics gain a bigger foothold. Examples include data analysis, threat knowledge and understanding the regulatory landscape.
Cybersecurity insurance is another emerging area. The report reveals that 45% of large companies, 41% of mid-sized firms and 37% of small businesses currently have a cyber insurance policy.
Common coverage areas include the cost of restoring data (56% of policy holders), the cost of finding the root cause of a breach (47%), coverage for third-party incidents (43%) and response to ransomware (42%).
Cybersecurity threats are growing every day, be they are aimed at consumers, businesses or governments. The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles.
The rapid digital transformation it has forced upon us has seen us rely almost totally on the internet, ecommerce and digital communications to do everything from shopping to working and learning. It has brought into stark focus the threats we all face and the importance of cybersecurity skills at every level of society.
European Cybersecurity Month is a timely reminder that we must not become complacent and must redouble our efforts to stay safe online and bolster the cybersecurity skills base in society. This is imperative not only to manage the challenges we face today, but to ensure we can rise to the next wave of unknown, sophisticated cybersecurity threats that await us tomorrow.
Developing cybersecurity education at all levels, encouraging more of our students to embrace STEM subjects at an early age, educating consumers and the elderly on how to spot and avoid scams are critical to managing the challenge we face. The urgency and need to build our professional cybersecurity workforce is paramount to a safe and secure cyber world.
With a global skills gap of over four million, the cybersecurity professional base must grow substantially now in the UK and across mainland Europe to meet the challenge facing organisations, at the same time as we lay the groundwork to welcome the next generation into cybersecurity careers. That means a stronger focus on adult education, professional workplace training and industry-recognised certification.
At this key moment in the evolution of digital business and the changes in the way society functions day-to-day, certification plays an essential role in providing trust and confidence on knowledge and skills. Employers, government, law enforcement – whatever the function, these organisations need assurance that cybersecurity professionals have the skills, expertise and situational fluency needed to deal with current and future needs.
Certifications provide cybersecurity professionals with this important verification and validation of their training and education, ensuring organisations can be confident that current and future employees holding a given certification have an assured and consistent skillset wherever in the world they are.
The digital skills focus of European Cybersecurity Month is a reminder that there is a myriad of evolving issues that cybersecurity professionals need to be proficient in including data protection, privacy and cyber hygiene to name just a few.
However, certifications are much more than a recognised and trusted mark of achievement. They are a gateway to ensuring continuous learning and development. Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities.
Ultimately, we must remember that cybersecurity skills, education and best practice is not just a European issue, and neither is it a political issue. Rather, it is a global challenge that impacts every corner of society. Cybersecurity mindfulness needs to be woven into the DNA of everything we do, and it starts with everything we learn.
Nearly six in ten organizations have accelerated their digital transformation due to the COVID-19 pandemic, an IBM study of global C-suite executives revealed.
Top priorities are shifting dramatically as executives plan for an uncertain future
Digital transformation barriers
Traditional and perceived barriers like technology immaturity and employee opposition to change have fallen away – in fact, 66% of executives surveyed said they have completed initiatives that previously encountered resistance.
Participating businesses are seeing more clearly the critical role people play in driving their ongoing transformation. Leaders surveyed called out organizational complexity, inadequate skills and employee burnout as the biggest hurdles to overcome – both today and in the next two years.
The study finds a significant disconnect in how effective leaders and employees believe companies have been in addressing these gaps. 74% of executives surveyed believe they have been helping their employees learn the skills needed to work in a new way, just 38% of employees surveyed agree.
80% of executives surveyed say that they are supporting the physical and emotional health of their workforce, while just 46% of employees surveyed feel that support.
The study which includes input from more than 3,800 C-suite executives in 20 countries and 22 industries, shows that executives surveyed are facing a proliferation of initiatives due to the pandemic and having difficulty focusing, but do plan to prioritize internal and operational capabilities such as workforce skills and flexibility – critical areas to address in order to jumpstart progress.
“For many the pandemic has knocked down previous barriers to digital transformation, and leaders are increasingly relying on technology for mission-critical aspects of their enterprise operations,” said Mark Foster, senior vice president, IBM Services.
“But looking ahead, leaders need to redouble their focus on their people as well as the workflows and technology infrastructure that enable them – we can’t underestimate the power of empathetic leadership to drive employees’ confidence, effectiveness and well-being amid disruption.”
The study reveals three proactive steps that emerging leaders surveyed are taking to survive and thrive.
Improving operational scalability and flexibility
The ongoing disruption of the pandemic has shown how important it can be for businesses to be built for change. Many executives are facing demand fluctuations, new challenges to support employees working remotely and requirements to cut costs.
In addition, the study reveals that the majority of organizations are making permanent changes to their organizational strategy. For instance, 94% of executives surveyed plan to participate in platform-based business models by 2022, and many reported they will increase participation in ecosystems and partner networks.
Executing these new strategies may require a more scalable and flexible IT infrastructure. Executives are already anticipating this: the survey showed respondents plan a 20 percentage point increase in prioritization of cloud technology in the next two years.
What’s more, executives surveyed plan to move more of their business functions to the cloud over the next two years, with customer engagement and marketing being the top two cloudified functions.
Applying AI and automation to help make workflows more intelligent
COVID-19 has disrupted critical workflows and processes at the heart of many organizations’ core operations. Technologies like AI, automation and cybersecurity that could help make workflows more intelligent, responsive and secure are increasing in priority across the board for responding global executives. Over the next two years, the report finds:
- Prioritization of AI technology will increase by 20 percentage points
- 60% of executives surveyed say they have accelerated process automation, and many will increasingly apply automation across all business functions
- 76% of executives surveyed plan to prioritize cybersecurity – twice as many as deploy the technology today.
As executives increasingly invest in cloud, AI, automation and other exponential technologies, leaders should keep in mind the users of that technology – their people. These digital tools should enable a positive employee experience by design, and support people’s innovation and productivity.
COVID-19 created a sense of urgency around digital transformation
Leading, engaging and enabling the workforce in new ways
The study showed placing a renewed focus on people may be critical amid the COVID-19 pandemic while many employees are working outside of traditional offices and dealing with heightened personal stress and uncertainty.
Ongoing IBV consumer research has shown that the expectations employees have of their employers have shifted amidst the pandemic – employees now expect that their employers will take an active role in supporting their physical and emotional health as well as the skills they need to work in new ways.
To address this gap, executives should place deeper focus on their people, putting employees’ end-to-end well-being first. Empathetic leaders who encourage personal accountability and support employees to work in self-directed squads that apply design thinking, Agile principles and DevOps tools and techniques can be beneficial.
Organizations should also think about adopting a holistic, multi-modal model of skills development to help employees develop both the behavioral and technical skills required to work in the new normal and foster a culture of continuous learning.
Attitudes toward cybersecurity roles are now overwhelmingly positive, although most people still don’t view the field as a career fit for themselves, even as 29% of respondents say they are considering a career change, an (ISC)² study reveals.
The findings indicate a shift in popular opinion about cybersecurity professionals, who have traditionally been viewed through a negative lens as roadblocks to business efficiency.
In fact, 71% of the survey’s respondents, all of whom do not work in the industry, say they consider cybersecurity professionals to be smart and technically skilled, while 51% also described them as “the good guys fighting cybercrime.” 69% of respondents replied that cybersecurity seems like a good career path, just not one they see themselves pursuing.
Obstacles to attracting additional information security workers
The cybersecurity industry is made up of 2.8 million skilled professionals, but research indicates that there is a global shortage of 4.07 million, which requires a massive recruitment effort of new entrants to the field who may not have considered the career before. The study reveals that the obstacles to attracting these additional workers may be two-fold.
First, 77% of respondents said cybersecurity was never offered as part of their formal educational curriculum at any point, making it difficult for most people to gain a solid understanding of what roles in the industry actually entail and how to pursue the career.
The second factor that may be limiting interest is a pervasive belief that such roles would require very advanced skills development that would require time and resources to achieve.
“What these results show us is that while it’s becoming even more highly-respected, the cybersecurity profession is still misunderstood by many, and that’s counterproductive to encouraging more people to pursue this rewarding career,” said Wesley Simpson, COO of (ISC)².
“The reality of the situation, and what we need to do a better job of publicizing, is that a truly effective cybersecurity workforce requires a broad range of professionals who bring different skillsets to their teams.
“While technical skills are vital for many roles, we also need individuals with varied backgrounds in areas including communications, risk management, legal, regulatory compliance, process development and more, to bring a well-rounded perspective to cyber defense.”
Cybersecurity as a career path: Key findings
- Conducted during a time of record unemployment amidst the COVID-19 pandemic, the study found that job stability is now the most valued characteristic in a career (61% of respondents), followed by ones that offer a “flexible work environment” (57%) and only then, “earning potential” (56%).
- In the absence of formal cybersecurity education, perceptions about the industry and the professionals in it are formed primarily through portrayals in TV shows and movies (37% of respondents) or by news coverage of security incidents (31%).
- 61% of respondents said they believe they would either need to go back to school (26%), earn a certification (22%) or teach themselves new skills (13%) in order to pursue a career in cybersecurity. 32% of respondents said they believe too much technical knowledge or training would be required.
- Generation Z (Zoomers) were the least likely demographic group to cast cybersecurity professionals in a positive light. Just 58% view cybersecurity professionals as smart and technically skilled, as opposed to 78% of Baby Boomers. And only 34% of Zoomers consider them the “good guys, fighting cybercrime,” as opposed to 60% of Boomers.
Cybrary released the findings from the report which examines the current challenges, perceptions, and impacts of the cybersecurity skills gap faced by IT and security teams worldwide.
Security teams and the growing skills gap
The survey questioned respondents about the employer contributions towards their skill development, their level of personal commitment to growing their skills, and the current level of organizational support and opportunities offered for skill development.
Over 800 IT and security professionals were surveyed, varying in experience, ranging from system admins to CISOs, to gather their industry insights and discovered that:
- 68 percent of respondents report investing their own free time, outside working hours to improve their cyber skills
- Nearly 3 out of 4 respondents agree that skill gaps exist on their teams
- 65 percent of managers agreed that skills gaps have a negative impact on their team’s effectiveness
- 40 percent of individuals say they spend time working to learn new job skills every day, while another 38 percent reported at least once a week, and
- 46 percent of organizations do not confirm new hire skills for specific roles and 40 percent rarely or never assess the skills of newly onboarded team members.
“Year after year, we see the cyber skills gap hindering the performance and productivity of IT and security teams, and this survey confirms that organizations still have a lot of work to do to provide their staff with the right training, guidance, and support they need,” said Ryan Corey, CEO of Cybrary.
“Despite industry-wide recognition around this growing skills gap, there has been little movement in bridging this gap. To make progress, organizations must empower and support IT and security teams by giving them the time and resources they need to grow their skill sets within their current role. It’s truly a win-win situation, contributing to both the individual’s career growth as well as organizational goals.”
Limited support and investment in employees’ career development
While it’s clear industry professionals are committed to advancing their careers, this survey shows limited progress from organizations in supporting employees and investing in their continued career development, despite the expectation for employees to keep pace in their dynamic roles.
The survey also reveals that employers need to break down significant barriers, such as cost (33 percent) and lack of time (28 percent) that are preventing IT and security professionals from getting the skills training they need to do their jobs to the best of their abilities.
With about half of organizations either decreasing their training budgets (22 percent) or keeping them the same (25 percent) this past year, it’s not surprising that industry professionals struggle to find opportunities to improve their skills for their work.
“The industry is overdue for a wake-up call to address the IT and security skills gap and talent shortage, especially as we enter a new era of remote work,” said Ron Gula, Cybrary Board Member.
“This vision for attracting and retaining talent can only be fulfilled if organizations continuously invest in their employee’s career and skills development. By assessing existing IT and security training programs, organizations can finally begin to empower their employees to scale their current skills and ultimately, their careers.”
The COVID-19 pandemic took most of us by surprise. Widespread shelter-in-place mandates changed how we work (and whether we can work), play, rest, shop, communicate and learn.
It changed things for businesses as well. Some were not ready to meet the challenge and closed up shop, many others were forced to hastily start or speed up their company’s existing digital transformation efforts and prepare for the majority of their workforce to be working from home – something that seemed impossible (or simply very, very unlikely) just months before.
Time for change
In times of upheaval, it becomes easier to imagine and enact change. Unfortunately, the speed at which all these changes happened has meant that cybersecurity has become less important than productivity (meaning: even less important than it was before).
But this downgrade won’t and can’t last long. With cyber attackers increasingly taking advantage of the many new attack surfaces – unsecured devices, databases, cloud assets, remote access and other accounts – organizations are now furiously trying to close as many security holes as soon as possible.
Employed cybersecurity professionals have been having a tough time during the last few months, trying to keep company assets and networks out of the hands of attackers while having to suddenly support more remote workers that ever before.
The required security measures are known and advice for achieving remote work security is easy to get, but implementing it all takes time and effort. Even before the advent of COVID-19, organizations had trouble filling all the cybersecurity positions they opened – and their needs have surely intensified in the last few months.
Gunning for a career in cybersecurity
Cybersecurity professionals and other technology professionals are using eLearning and online trainings to pick up new skills, but as the demand for cybersecurity personnel increases and the availability of paid positions widens (when in many other economic sectors is dwindling), many tech-savvy individuals are wondering: “Do I have what it takes to enter and thrive in the cybersecurity arena?”
A recent Skillsoft report says that networking and operating systems, security and programming training are in the highest demand among technology and developer professionals, and that security certification prep courses are up by 58 percent YoY.
While people already working in IT definitely have a leg up on other aspiring candidates since every role within IT has a cybersecurity aspect, certifications such as the (ISC)² Systems Security Certified Practitioner (SSCP) can help with cybersecurity knowledge acquisition and demonstrate the person’s suitability for entering the cybersecurity field.
But even recent college graduates without a deep technical background and military veterans can have a bright future in cybersecurity – if they know how to go about breaking into the field. The tools are there for those who want to use them.
64% of IT pros are instilled with a new sense of confidence, despite contending with challenges such as reduced budgets, greater decision-making responsibilities, and longer hours caused by their organizations’ response to the pandemic, a SolarWinds survey reveals.
Likewise, 46% feel empowered to bring more ideas to the table while 58% say they now feel more prepared to succeed in similar unexpected situations.
“The success of organizations during this unique time is due in large part to IT pros’ preparedness and inherent ability to adapt and manage through substantial change,” said Rani Johnson, CIO, SolarWinds.
“2020—and the unexpected COVID-19 pandemic—is proof positive IT pros are built for moments like these. What’s particularly encouraging is IT pros’ perception and expectation IT will be included in more business-level decision-making moving forward.
“The dedication of IT pros around the world to ensuring business resiliency and continuity over the past several months serves to elevate and empower the IT community to work alongside business leaders to meet bigger organizational goals.”
IT pros’ upskilling likely to continue into the future
This newfound self-confidence, combined with IT pros’ achievements during this time, will completely transform how IT is viewed by the business in the future. IT may earn a more prominent voice in the C-suite, as 40% of surveyed IT pros believe they will now be involved in more business-level meetings.
Likewise, IT’s role will be up-leveled due to the vast upskilling 26% of IT pros underwent during this experience. With 31% admitting there’s a need to rethink internal processes to better accommodate the rapid change of pace required post-COVID, it’s highly likely a focus on IT pros’ upskilling will continue into the future.
“As always, with new responsibilities comes the need for new skills. While almost half of survey respondents felt they received the training required to adapt to changing IT requirements, nearly one-third experienced the opposite, and are at risk of being left behind as IT teams continue to grapple with how best to support the new normal,” said Johnson.
IT pros gaining an increased sense of confidence
IT pros said they’ve gained an increased sense of confidence in their expanded roles, responsibilities, and ability to adapt to unexpected change in the future, despite contending with more challenging working conditions over the course of the pandemic.
Respondents said longer work hours due to stretched teams (29%), more responsibility (28%) and decision-making requirements (28%), and a general increase in job-related stress (22%) were the leading ways in which day-to-day roles evolved in response to the impact of COVID-19.
Still, 64% agreed this experience—including changes to their day-to-day tasks—has given them a new sense of confidence in managing unprecedented change.
- 46% say the work they accomplished has empowered them to bring new ideas to the table.
- 58% say they now feel more prepared to succeed in any similar unprecedented situations in the future, while another 29% report feeling prepared to manage change but require additional resources, training, and support.
Given the achievements of IT pros during this period, 40% of respondents say they believe IT will be included in more business-level meetings and decision-making moving forward.
Remote workforce support requiring new skills
The implications of COVID-19 accelerated IT pros’ ongoing efforts to upskill in critical competencies, such as systems management, network management, and security policy and compliance.
26% of IT pros said it was necessary to learn new skills to support their organizations’ transitions to a remote workforce.
The top skills IT pros reported as the most important for development:
- Systems management (55%)
- Network management (50%)
- Security policy and compliance (43%)
- Hybrid IT monitoring/management tools and metrics (28%)
47% said they received the training they needed to learn these new skills; however, 25% are still waiting for those training resources to be made available.
The breadth of skills IT pros needed during this time shows how silos are disappearing, as roles start to blur together. In fact, today there is more crossover between traditional roles than there has ever been before and we will continue to see these lines blur until most silos are completely gone.
Technology, process, and team transformations are needed
In the coming months, IT organizations must undergo technology, process, and team transformations to accommodate the new IT requirements associated with extended remote-work scenarios post-pandemic.
71% of respondents felt supporting a remote workforce struck a balance in which certain aspects of day-to-day management were better, while others were more challenging.
- 31% agree there’s a need to rethink internal processes to better accommodate the more rapid pace of change required post-COVID.
- While 18% of respondents reported their toolsets and technologies fell short in addressing the unique challenges of remote workforces, 28% of IT pros flagged a need to consolidate existing solution suites (and their vendors) to simplify management, maintenance, and cost of upkeep.
Although the majority of IT organizations successfully managed the transition to remote work and played a critical role in ensuring business continuity, IT pros expect several trends to shape the future of their respective IT organizations:
- Greater cross-team collaboration (53%)
- More responsibility (46%)
- IT inclusion in more business-level meetings and decision-making (41%)
- Tighter budgets (even post-economic recovery) (26%)
- More opportunity to upskill/attend trainings (25%)
The information security industry frequently utilizes the phrase “people, processes and technology” (PPT) to describe a holistic model of securing the business.
But though this phrase is repeated ad nauseum, we seem to have forgotten one of those three primary pillars: people.
In an effort to secure things technically, we prioritize the protection of our processes and technology, while ignoring a critical element to both the success and security of organizations. While it is common sense to prioritize humans – our first line of defense against cyberattacks – too often we only focus on processes and technology, leaving a significant part of our environment dangerously exposed.
Forgetting the people of the PPT approach is like operating a car without airbags. Perhaps you cannot physically see the hazardous gap, but the drive will be incredibly unsafe.
How do we mitigate this gap? By recognizing that people matter. In the information security domain, we place extensive premiums on the focus of the technical, which leads us to neglect humanism, soft skills and the human capital of the business.
Avoid disempowering your staff
Security professionals often describe humans within the cybersecurity space as the weakest link of the system. Security staff often use this phrase to describe everyone but themselves, which does little to enable trust between internal teams or to encourage collaboration among cross-functional groups. In addition, it cultivates an “us versus them” mentality, which is damaging to professional relationships and the success of our information security programs.
Even if people are the element most susceptible to phishing attempts, or the link most likely to be negligent in security practices, it becomes incredibly difficult to foster a culture of security awareness if we demoralize or denigrate the individuals we need to help drive our security priorities.
How does a security team avoid disempowering fellow employees? The solution is quite simple: be aware of the words and phrases you use to describe the people of the PPT model. Develop trust by utilizing positive language during communication and approaching all staff with respect when informing them that security is the responsibility of all employees. You will more effectively keep the attention of staff when you demonstrate that you respect them and indicate that you view them as a primary element of keeping the organization secure.
Steer clear of “My way or the highway!”
The stress of constant security incidents and continuous fear of potential data breaches lead many security teams to operate with a rigid, iron-fist management approach. Instead of allowing security to better enable the business, ideas and programs are forced through and collaboration is thrown by the wayside in the name of making our environments more secure.
While this certainly does not make us popular within the workplace, it also contributes to a lack of trust between security and other business functions. Trust is critical to the success of our security paradigm, which means we must take every opportunity possible to ensure that security enables the business. Without trust, the people of our businesses will not follow our security policies, report suspicious activity, or see cybersecurity in the organization as something they are directly responsible for.
Is it possible for security teams to operate in a flexible, and collaborative manner that guarantees the advancement of the security program, while simultaneously not hindering the day to day work of other staff?
Most definitely. And the solution, like the above, is free, and requires no processes or technology. Be open to opposing opinions regarding the implementation of your security project or program. Approach others cooperatively on how the integration of a new security tool or application should be managed. Asking others, candidly, if there is a “better” way to address a security problem is a wonderfully collaborative way to engage within a culture of teamwork.
Those outside the security team may have ingenious approaches to fixing security problems that we may never have thought of – solutions that both mitigate the security issue and don’t hinder the day-to-day work of employees. Acknowledging the skills and expertise of other non-security teams allows us to discover more innovative ways of approaching a security problem.
Continue to implement technical controls but consider implementing another element into your governance model: people matter. This value, though it sounds simple, is an effective way to not only manage security risk at an acceptable level, but also to ensure that we cultivate our security models holistically.