South Africa must incorporate cyber security into its school curricula if it is to meet the increasing demand for cyber security skills. So says Jason Jordaan, principal instructor at cyber security training and certification specialist SANS Institute.
The country’s skills issue runs deep according to Jordaan, who argues that a lack of quality STEM (science, technology, engineering and maths) education means less exposure to IT security as a prospective career. As a result, there are too few job-seekers with enough theoretical knowledge of IT security to be of much value to the market.
Jordaan is scheduled to deliver a keynote presentation focused on cyber security skills on the opening day of the 2023 ITWeb Security Summit from 6 -8 June in Johannesburg and on 15 June in Cape Town.
Says Jordaan: “When cyber security also gets introduced at the school level, we have seen significant interest in cyber security careers and often identify real talent before they even leave school. We have seen this in countries such as the United States, United Kingdom and the United Arab Emirates to name just a few.”
He adds that many businesses are inconsistent when it comes to investment in the cyber security skills they do have on board. “Cyber security requires constant ongoing training, and organisations that are willing to invest in their teams continuing education, will reap the rewards. There are still far too many organisations that do not invest in their cyber security human capital, rather spending money on the latest capital investment in cyber security technology at the expense of human development. The reality is that these both need investment.”
He explains that many companies are reluctant to invest because the more skilled a worker becomes, the more attractive they become to head-hunters.
“The harsh reality is that due to the skill shortage the more skilled an individual becomes, the more attractive they are to another company that can offer them more. The problem is that this cannibalises existing talent. We need to realise that cyber crime and cyber threats are not a threat to an individual company, but to society as a whole and companies need to see their place in that society.”
We need to realise that cyber crime and cyber threats are not a threat to an individual company, but to society as a whole and companies need to see their place in that society.
Jason Jordaan, principal instructor at SANS Institute.
South Africa does have resources available to address these challenges Jordaan adds, one of which is the government and its ability to back training programs. “They do not need to do this all alone, they can partner with the private sector help with the development and delivery of these initiatives, and where private-public partnerships have been used, the results are clear to see.”
Jordaan advises against companies relying on external consultants to perform core cyber security functions.
“If you need core skills, then recruiting or upskilling is a necessity, and you can then certainly use external consultants for skill and knowledge transfer, but relying only on external consultants for core skills is not sustainable.However, that being said, there are times when it is just not practical to have all the specialised skills that are available within cyber security in-house, in which case having a pool of experienced external practitioners to use when the need arises is a very good strategy.”
A quick route
SANS Institute believes certification remains the most popular route into the cyber security industry.
“They are often a quicker route into a cyber security role than say a degree program. That is not to say that degree programs are still not relevant, they certainly are. It is just that not all cyber security roles require a degree,” Jordaan adds. “Many role are technically skill based, and certifications are often a good way to demonstrate competency in these technical skills. This is basically the situation across the globe at the moment.
SANS Institute believes the role of the cyber security professional will become increasingly relevant and significant to businesses because it is influential to many areas of operation.
Jordaan advises that it is not easy to define this role because it is so diverse and one only need consider the US’ NICE framework or the European Cybersecurity Workforce framework to understand this level of diversity.
“The diversity or roles in cybersecurity means that regardless of one’s background, education and experience, there is likely a role in cyber security that you would find a place in if working in cyber security is what you want to do. Even if you manage to secure a role that is not what you initially want, (it’s) a way to get your foot into the door. One of the key things that anyone in cyber security will face is that with the constant changes not only in technology, but in the threats that we face, that we constantly have to learn and upskill ourselves, and that is our responsibility, not that of our employers.”
Share