How to mind the cybersecurity skills gap

Cybersecurity can make or break an organisation. Statistics on recent crime make it clear that security breaches are among the most dangerous and fastest-growing threats today. Whether large businesses or SMEs, the numbers show that more than half of businesses have experienced a cyber attack in the recent past.

As businesses depend more and more on being online, chances of falling victim to cyberattacks - and their impact - also increase. But in the rush to remain competitive and up-to-date, it’s easy to forget security at the expense of speed.

Research by a global accountancy firm found that 80% of European businesses name digital transformation as a strategic priority for their business. However, only 34% of these are confident that their current cybersecurity strategy would protect them against attacks – and 21% declare they have no strategy at all.

What’s the price of security?

Truly effective security isn’t about good firewalls or virus protection – it’s about the people behind them. And these people come at a premium.

To minimise the possibility of an incident in your business, you need cyber professionals who can anticipate all the ways your system could be exploited by attackers, and how to protect against each potential threat.

To start with, these individuals require expert knowledge of systems architecture, training in security techniques and experience in identifying and mitigating issues as they arise.

Unfortunately, this specialised skillset makes good cyber personnel difficult to find and expensive to train. In a recent survey with 500 senior business figures by the Open University, cyber security emerged on top for digital skills gaps. With only a small talent pool to go around, businesses struggle to build their security teams.

Delivering the formal training needed to upskill employees to become cyber experts works – but it can be costly. To gain the range of skills required, individuals need multiple digital skills courses in networking, cryptography, ethical hacking, security and related disciplines.

At an average cost of between £2,000 and £5,000 per course – plus wages and overheads – it’s a serious investment for any company to make in its people. Moreover, building these skills takes time – and this time away from work can be even more expensive than training itself.

But how does this compare with not having a cybersecurity strategy at all?

How much does a security breach really cost?

2019 research by Hiscox estimated the average cost of a single hack among UK companies at £180,000, double the previous year’s figure.

While medium and large companies had the biggest bills, SMEs made a major contribution to the overall total, with 47% of small firms and 63% of medium companies reporting a cyberattack in the past 12 months. Clearly size is no barrier to being targeted by hackers.

In addition to that, there are a few reasons to believe the price tag is even higher:

1. Under-reporting: a significant number of companies don’t report cyberattacks. While there’s no way of collecting data on the costs they’ve incurred, the likely number of unreported crimes would increase the average figure.

2. Collateral damage: six in ten UK firms have experienced a cyberattack in their wider supply chain. So even if your company hasn’t been attacked, you may experience a knock-on effect on your costs and/or productivity if one of your suppliers got hit. This loss is hard to quantify, as it depends on the importance of each service to your own delivery. But it’s easy to see how the hack of a key supplier can have a significant impact.

3. Non-tangible: by definition, the hardest costs to measure. For example, if your customers’ personal details are breached, you’re legally obliged to inform them. In addition to operational costs, the damage to your image may lead you to lose both existing customers and potential new ones due to lack of trust.

Main approaches to cybersecurity

Grossly oversimplifying, there are three main ways a company can approach the cybersecurity conundrum, each with pros and cons. Bear in mind that these aren’t mutually exclusive, and a strategy can include all approaches in different measures, depending on the area.

Reactive: do nothing and pay-as-you-go

For many businesses, doing nothing still seems to be an option. You may feel your business is not large enough to be a target for hackers, or that cyberattacks aren’t likely in your sector/service. Statistics show that this is an increasingly risky (and expensive) approach.

Indeed, considering yourself an unlikely target makes you almost more likely to be viewed as a ripe prospect by hackers. You may save in the short term, but in the long run the costs will almost certainly offset any saving.

Delegate: get external help

Hiring security consultants to review your current situation, establish strong systems and recommend future actions is a good, if expensive, first step to get your security up to date. These are usually seasoned professionals who can implement strong general fist-defence measures, as well as respond quickly and decisively to potential breaches.

On the flip side, without a supporting strategy, this tactic can be expensive and – due to the temporary nature of consulting – not sustainable. External professionals don’t understand the intricacies of your systems and processes, nor the nuance of your business. This can lead to suboptimal decisions while they learn. Plus, once they leave, practices risk being forgotten if the culture isn’t properly nurtured.

Constructive: build security from within

To create robust, effective systems and a long-term culture of cyber vigilance, you’ll need to develop in-house capability. Ideally, this should combine strong theoretical training with hands-on experience. Training your more senior employees helps usher in a security mindset, albeit top-down.

But to really transform your company’s culture in a sustainable manner, this shift also needs to come from the bottom-up, and with a long-term mentality. It needs combine learning and practicing in a way that enables your business to keep growing while not compromising your force’s output too much.

For quite some time, there’s already an established training route on the market to do this – apprenticeships.

Apprenticeships and security-first culture

There’s one crucial distinction between a good and a great security professional.

Good cybersecurity professionals are technical masters with an always-learning mentality and open minds. They know what to look for in a system and what to do when things go wrong. Great professionals combine these skills with a deep knowledge of your business specifics. In addition to what, they know exactly where to look for vulnerabilities, and of business processes around them.

This means the best security professionals are the ones you already have, the ones who can grow while looking out for vulnerabilities within. That’s why cyber apprentices can be such precious resources in any business.

The year-long training programme gives apprentices all the technical knowledge they need while bringing them on board. This approach exposes them to every nook and cranny of your systems while at the same time equipping them with the skills they need to spot threats from within.

Even better, there’s no need for an apprentice to have any previous experience in the cyber arena before beginning training.

The value of apprentices

The average cost of an apprentice for a company amounts to £18,000 for a one-year programme. With that, each apprentice will learn three to four digital certifications, as well as get a full year’s worth of mentoring while working at the same time.

Furthermore, with the average hack costing ten times as much, helping prevent even a single incident is more than enough to justify the investment. Plus, apprenticeships are valuable in another, less-obvious way: retention.

Keeping cybersecure

As much as acquiring the best professionals, it’s equally as important to be able to keep them.

In a highly competitive marketplace like cybersecurity, nurturing skills in-house is an investment most organisations can’t afford to not make. However, some investments can yield returns faster and longer than others.

The most valuable thing about apprentices is that they’re far more likely to remain with your company when compared with seasoned ones.

Nearly nine in ten apprentices in the most recent Government survey said it was likely they would stay with their employer for 2-3 years after qualifying. The finding goes in line with a recent poll conducted with former Firebrand apprentices. Up to two years after graduation, over 90% were in either the same role or a more senior one with their apprenticeship employer.

Securing the future

When building the strategy for your business, you must pay close attention to the difference between patching a security problem and building a security culture. The key is to strike the right balance between a top-down and a bottom-up approach.

Apprenticeships are one of the most efficient ways of allocating resources to bring long-term returns. Recognising this, some countries - like England - have policies in place that make apprenticeships even more attractive to both employers and employees (you can learn more about how these incentives work in our website).

But apprenticeships alone aren’t the answer. Senior talent and leadership need to be trained and nurtured, too. Apprentices need the right mentors and role models within your organisation if they’re to thrive.

The bottom line is, successfully leading your organisation across the digital transformation requires the right measure of both.

If you’d like to learn more about how apprenticeships could work in your business, just go to our website, or alternatively contact us.

Stefano Capaldo's focus is to make sure the 17+ years of delivering high quality curriculum continues to be the nucleus of our apprenticeship provision. He's passionate about apprenticeships and is driving Firebrand to keep it's position as the no. 1 apprenticeship provider.