IT security skills dearth lifts SA's risk profile

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 12 Dec 2016
In SA, cyber risk exposure is increasing due to the skills shortfall, and ageing security infrastructure.
In SA, cyber risk exposure is increasing due to the skills shortfall, and ageing security infrastructure.

The shortfall in specialised IT security skills is increasing the risk profile of South African organisations.

That's according to security experts who note that addressing this shortfall demands an increased focus on developing a skills pipeline within public-private sector partnerships.

Ron Harris, major account manager for public sector at Fortinet SA, says the IT security skills shortfall is a global problem. "In South Africa, we see cyber risk exposure increasing due to the skills shortfall, as well as due to ageing security infrastructure that is inadequate for mitigating increasingly sophisticated attacks." This is a problem particularly apparent in the public sector, he notes.

However, SA is not alone in this, says Harris, pointing out that global studies indicate a drastic need for more cyber security experts in the public sector. A 451 Research study of more than 1 000 IT professionals found security managers report significant obstacles in implementing desired security projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%).

Skills development is a longer-term, but crucial, investment, Harris notes. "A number of South African IT stakeholders, and many local organisations, are investing in IT security skills development.

"However, these programmes need to be beefed up if we are to achieve the level of IT security skills we need in the country."

Drastic increase

According to Jeremy Matthews, regional manager of Panda Security Africa, with the developments being witnessed from hackers and cyber criminals targeting businesses around the world, the need for IT security skills has increased drastically.

"South African businesses, in particular, have been slow to adopt even conventional anti-virus solutions, and until recently, organisations had not begun to see the value of advanced security solutions and personnel. This left them vulnerable to cyber attacks, and has fuelled the need for IT staff with the skills to react to security incidents."

Matthews adds for markets with a vast skills shortage, such as SA, certain endpoint detection and response (EDR) tools can be leveraged to reduce the need for skilled professionals.

However, he adds, organisations need to ensure the EDR solution they select has the ability to prevent incidents before they become a problem, and consider investigation and remediation as secondary concerns.

"Cyber crime is a cat-and-mouse game that requires businesses and individuals to be aware of the threat environment and ensure they have the best security tools and technology for their needs."

Nonetheless, he points out, there is no quick fix to the IT skills shortage gap. "It requires education and training from early on, and the people to adequately deliver this training."

Specialised capabilities

Martin Walshaw, senior engineer at F5 Networks, believes the shortage in skills is not necessarily related to the number of people, but rather around the fact that skills shortages are usually geared towards specific or specialised security technologies.

He says organisations want more than just the average run-of-the-mill security skills, and because of this, there is a perception of a skills shortage.

"For example, most networking professionals can configure a firewall - which is classified as a security skill - but should I mention that an organisation needs to put a Web Application Firewall in place to protect against the Open Web Application Security Project Top 10, still a security skill, then the number of individuals able to do this drops."

According to Walshaw, at this moment it is not about winning or losing, but about minimising the impact of cyber crime.

"Security needs to be inherent and front of mind with everything that everybody does. When security is taken into consideration like this, it is possible to ensure that you have more security ambassadors, and grow a broad base of skills. Once we have this broad base, specialisation is also an area that needs to be looked at."

He notes there are many different facets of IT security, and most of these usually require a specific skill set. These skill sets need to be identified and then allocated to a specific set of interested individuals, he adds.

"Training employees to spot potential security risks is also a good place to start, followed by regular refresher courses. Simply handing them a document that lists the dangers and asking them to sign it is pointless. You can't box-tick yourself out of trouble."