Let's do something about the cyber security skills shortage

I'd like to share a story about Jason. Jason was barely out of school at 19 years old, when he joined the security team where I worked about 10 years ago. We needed someone to be the administrator for an email security gateway at one of our largest clients. Administrator is a nice word for the mind-numbing tasks Jason had to complete every day, such as fixing spam filters and getting irate phone calls from unhappy end users. Jason had a great way of calming users and a wicked sense of humour, and most importantly a thirst for learning and attitude to put in whatever it took. Within a few months he was promoted to security engineer and fast forward a few years and Jason was poached by the US where he now leads a whole team of senior security architects.

Across the board, the security skill shortage was listed as one of CISO's top pain points for 2020. The security skills shortage is not just a South Africa problem, globally there are about four million IT security vacancies, according to (ISC)2.

Yes there have been great advancement made in security orchestration and automation tools and technology, but if there is no one available to set it up and operate it what's the use? And the service providers? They have exactly the same problem: too many experienced & qualified staff leaving the country, tempted by the promises of a better or at least safer life and a stronger currency.

Here are my thoughts on how we as South Africans could address the problem heads on and possibly even benefit from it in the long run:

1. Hire for attitude not experience

I always have to think about Jason when talking about this. He is living proof that attitude trumps experience - with literally zero professional experience Jason soared to great heights. We have long given up finding staff from within the IT or security industry and have successfully hired people from other industries such as media or straight out of school. The common denominator across high performers is their hunger to learn and an attitude to take ownership and stick with a challenge until it is resolved. There are fantastic online resources available, so anyone who wants to can learn more about. It just requires a bit of an outline or curriculum and discipline to stick to the self learning process. Cybrary, LinkedIn Learning, Udemy all have courses available to teach security & networking fundamentals.

2. Start a security academy & internships

Some of the larger financial organisations such as Standard Bank, have launched security academies targeted at internal staff to up- and cross-skill into cybersecurity. These initiatives are mostly led by security professionals who spend their free time to volunteer and train others about cyber security. I believe this is largely because most security professionals are really passionate about what they do. And this passion drives them to work after hours, set up curriculums and find the time to inspire others - often up until the middle of the night. Some grass roots collaboration is happening already with Standard Bank sharing their learnings with other organisations. ABSA has launched a formal cyber security academy targeted not just at internal staff but to the wider public.

3. Inspire the Youth

Security is such an incredibly interesting industry to get into: the diversity and breadth of topics allows for continuous learning and a variety of skills and interests to be developed. Wherever possible, security professionals should find ways to spread the word in schools and youth development programs. KnowBe4 offers free awareness content in the form of an activity kit which can be used by schools and parents. Go and speak at universities or schools when you get a chance.

Thanks to Lynette Hundermark and Wouter Grove, I had the opportunity to talk about cybersecurity to a room full of young

sters at the CoLab for e-Inclusion and Social Innovation University of the Western Cape and that day was the best day of the week for me, it was really inspiring - as you can see by my dufus smile.

4. Provide a career path for girls and young women

According to Charles Schwab in the Fourth Industrial Revolution, women will be at higher risks of being left behind as automation and robots replace traditionally female roles such as secretarial, retail, call center and even caregiving jobs. This means that we really need to find ways to inspire today's young girls and women to embrace a career in the Science, Technology, Engineering, and Mathe

matics (STEM) areas. Cyber Security offers not just the pure technical roles, but a lot of aspects such as "building the human firewalls" which requires skills often typically linked to female traits, such as high empathy and communication skills.