Intelligent CISO Issue 23 | Page 28

editor’s question NED BALTAGI, MANAGING DIRECTOR, MIDDLE EAST & AFRICA AT SANS INSTITUTE W e hear a lot about the shortage of staff in the cybersecurity industry, but in most countries the issue is more of a skills shortage than a headcount shortage. The good news is that we are beginning to see some organisations recognising the need to develop less experienced staff in security skills in order to help solve the skills gap, both to transition more general IT staff to security and to bring in new talent and help them develop the skills and experience needed to take on security roles. As such, we expect to see companies continuing to invest in both the detailed technical training required for security professionals to keep abreast of new techniques and threats, as well as more entry level cyber security courses. Another major driver of security spending in 2020 will be increasing 28 the skills of cybersecurity staff around cloud services and supply chain security, since rapid shifts in globalisation, demographics, work styles and work sourcing are transforming the way in which companies manage their businesses. Indeed, in a recent SANS survey on workforce transformation, 54% of respondents identified increased reliance on cloud-based applications and data as a leading challenge for them. Respondents told SANS that they’re supporting a number of initiatives to support workforce transformation, including a transition to cloud-hosted infrastructure (51%), increased use of collaboration tools (46%), a shift to software-as-a-service (32%) and adoption of the remote office and related capabilities (29%). These shifts, including the widespread use of cloud and off-site networks, open up new vectors of risk and potential threats and attacks, that companies must keep on top of. Companies are also increasingly beginning to realise that focusing on supply chain security and third party risk is key, as this is so often the cause of a breach. Ensuring that security staff are well trained in these areas is therefore of vital importance going forward. Along with cloud and supply chain, encryption and SecureDevOps are also a focus for many companies, so we expect to continue to see interest in SANS training courses that cover these areas increase. Last but by no means least, we are finally seeing more companies starting to invest in security awareness training. In the past, too often organisations and their security teams have perceived employees as the weakest link, without investing in properly training them to recognise security threats. Instead companies have traditionally invested almost entirely in using technology to secure technology, ignoring the human side. What little training most organisations have done has been too technical and complex. Proper security awareness training requires simplifying security for people and reaching out to them on their terms. This is something that organisations are just now starting to do. Issue 23 | www.intelligentciso.com