Boards Must Address The Cyber Skills Gap
Next time you’re in a board meeting, look around the room and ask yourself this question: Who here has the skills, knowledge and application to protect the company and its clients from a sustained, coordinated and sophisticated cyber attack? Drawn a blank?
You’re not alone.
Increasing incidents of high-profile cyber attacks are indicative of a growing threat to corporations big and small alike, yet it’s a threat that is still largely overlooked, underestimated and downplayed.
This year’s Black Friday and Cyber Monday sales are projected to reach a staggering £5 billion, with online and mobile sales increasing year-on-year. Yet, it is over the festive period that cybercrime activity dramatically increases. Recent high-profile cyber-attacks, including Tesco, Talk Talk and the recent DDoS (Disributed Denial of Service) attack, have brought consumers’ online security into question and whilst many boards are more aware of the potential threats, there is still a large degree of complacency. Many leadership boards still underestimate the maturity of the cyber-crime business model.
“If you look at the typical board it’s generally not experienced in this area,” says Stuart Jubb, Director at Crossword security.“Companies are going to find there is a massive shortage of talent and will have difficultly recognising the better people. There are a lot who talk a good game but not many who know what they are doing, so finding professionals with an excellent technical background is critical.”
By pushing it higher up the agenda and by ensuring you have the right talent and expertise on board, businesses can be better equipped to deal with this rapidly evolving problem.
Tackling the skills shortage
It is widely discussed that retailers face a struggle to bridge the digital skills gap at all levels, with roles involving analytics, data, content creation and information systems architecture being the most sought after. As the rate of cyber-crime increases, companies are going to find there is also a massive shortage of talent when it comes to experienced security and technology experts.
Consumer businesses should make sure they have someone in place not only to manage data and privacy but also to ensure the technology is in place and that they manage employee access to systems carefully. Finding a CIO or Head of Data Privacy with an excellent technical background and experience is now critical.
Not only is excellent security essential, in defending against attacks on a business’s very existence, but it should also be part of the strategy to improve customer experience and build trust. As both cyber-crime and data-driven decision-making become increasingly important, the business leaders responsible are also likely to be required on the executive board to ensure representation of these key areas.
Matt Ettelaie, Cyber Defence Services, KPMG LLP told us, “For all businesses and especially in retail, good cyber security can be a real market differentiator. Customers are increasingly savvy in this area and unwilling to trade with those who fail to look after their information securely. Cyber should be a board level agenda item led by an experienced executive. Skilled and knowledgeable CIOs & CISOs help to set the right ‘tone at the top’, educate the rest of the organisation and allow cyber strength to become a real business enabler”.
Action should come from the top
Speaking to Jubb, it’s clear that some of the biggest threats to a business go beyond reputation damage, highlighting the need for urgent action:
“A cyber Attack can dramatically effect share price of a company and we started seeing that happen with Talk Talk. Other threats may not be so publicly visible but can still cause a lot of financial damage, such as ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid.”
Jubb added that the proliferation of mobile devices and cloud systems used by employees, now makes protection more difficult.
“If you’ve a company whose salesforce is out on the road all the time it is unlikely they will be getting the regular updates on their laptops. When you’ve thousands of employees working from mobile locations, this can become a serious vulnerability.”
Upgrading software will only get you so far: you have to cultivate a workforce to the point where cybersecurity is second nature and that ultimately has to come from the board. If companies don’t have a CIO or equivalent in place now they should start thinking about developing their talent pool as quickly as possible.