Turning Defense into Offense to Address the Cybersecurity Skills Gap
Research published by ESG this week has revealed that 51% of organizations have a problematic cybersecurity skills shortage. It’s yet another indicator that organizations could be heading towards a cyber-security skills crisis: back in 2014, ESG reported that in 2014, only 23% of enterprises said they had a shortage of specialist cybersecurity skills.
These latest findings correlate with an earlier research project conducted in late 2017 between ESG and the Information Systems Security Association, which revealed that 70% of cybersecurity professionals felt that their organization was impacted by the skills shortage. The effects of this included an increasing workload on cybersecurity staff, the hiring of junior personnel that required training rather than experienced pros, and a culture where the cybersecurity team was consumed with firefighting issues as and when they arose rather than working strategically.
Against the backdrop of a rapidly growing array of cyber threats, coupled with an increasing demand for digital transformation, it’s clear to see that the cybersecurity skills shortage poses a huge risk to organizations of all sizes, industries, and geographies. With an anticipated 1.8 million unfilled roles expected by 2022, what can be done to help address this problem?
To address this issue Ixia has been looking at potential platforms to offer the industry a forum to stay current, upskilled and updated on the latest tools and technologies. To this end we recently ran the Ixia Cyber Combat competition in Singapore, where 20 teams of cyber security industry professionals and students competed to test their skills against one another. The objective of the competition was to present cybersecurity in an exciting and engaging context to potential professionals of the future, and enable security professionals to hone their skills in simulated cyber security attack scenarios.
Participants came from a range of industry backgrounds including financial services, technology, government and education. During the contest, the teams competed to take down enemy servers, expose vulnerabilities and win flags, while defending their home ground against enemy attacks. The participants were exposed to a range of new tools, skills and situations.
Speaking to TechTarget, Ang Guo Gen, a Singapore Institute of Technology undergraduate and intern at Swizz service provider Wizlynx who won the contest, said: “It was a stressful but fun experience. On the defense side, we were only given a Fortinet firewall and Splunk to do some analysis of our environment. I also looked at the logs to try and understand what was happening, did some tests and made some guesses which turned out to be right. In the end, we came from behind and took the show.”
Turning defense into offense
Speaking after the event Naveen Bhat, Managing Director, Asia Pacific, Ixia, compared cybersecurity to Judo, noting that you have to teach a judoka how to attack and not just defend. By doing so this enables a contestant to understand their enemy, enabling them to think and act like an attacker, in turn making them a better defender. Bhat noted that WannaCry had succeeded because security practitioners failed to correct vulnerabilities in their networks, and compared protecting a business to protecting your home. You need to know where the entry points are and install the necessary defenses. However, when the environment is unfamiliar or changed, you're vulnerable again.
Initiatives such as Cyber Combat help to upskill practitioners, and double up as training and recruitment exercises, to meet the challenges of the ever changing and evolving cybersecurity landscape. After all, with 14,000 malware attacks taking place across the globe every night, however good your security defenses appear to be today, they won't be good enough tomorrow.