October 24, 2024

Future-Proofing Your Cyber Security Team

8 min read

This week is Cyber Smart week, which is Cert NZ‘s annual campaign to raise awareness of cyber threats and encourage Kiwis to stay vigilant and be cyber secure.

So I figured this would be the perfect time to look at how businesses can protect themselves by future-proofing their cyber security teams, especially in an ever-changing threat landscape.

 

The Evolving Landscape

CERT NZ’s 2024 Q2 report indicated that New Zealand businesses faced over 1,200 cyber security incidents, ranging from phishing to ransomware attacks​, at an estimated cost of $6.8 million in direct financial loss. Kiwi businesses with online operations are linked to the rest of the world through their data and infrastructure, which puts us at risk of global cyber threats.

These malicious attacks are increasing in frequency, reach and sophistication. In fact, a report by worldwide insurance group, QBE, predicts that the total number of significant global cyber attacks in 2024 will be double (211) that of 2020 (103) – a potential 105% increase.

While we’re mindful of scaremongering, it’s still important to understand that the threat of financial and reputational impact from cyber attacks is very real. The numerous, recent examples of such attacks right here in NZ and across the ditch underscore the critical need for strong, up-to-date and responsive cyber security measures. And of course, we need people with the right experience and skills to be able to operate successfully in this space.

 

Supply and Demand Issues

As you probably know, despite the current economic climate and rising unemployment in New Zealand, sourcing certain subsets of tech talent remains hugely challenging. This is amplified within the area of cyber security. A deep talent pool of experts with the ‘right’ knowledge simply does not exist.

Even if you were in the lucky position of having a massive budget to find that needle in the hay stack, the reality is that you’d be hard pressed to find more than a handful of cyber security professionals who have an in-depth understanding of the latest attack protocols. Instead, it pays to be sensible and recognise the challenge for what it is.

 

A Problematic Skills Gap

As we identified in our mid-year IT Job Market Report – Update for Employers, hiring and staffing in this business-critical area is a very real challenge.

 

 

An unpleasant knock-on effect of the ever-changing threat landscape is that individuals working in the cyber security space may discover that, through no fault of their own, their knowledge is no match for emerging issues. What they learned in the past could be irrelevant, or their skill set could have become dated, or even obsolete.

According to the World Economic Forum’s 2024 Global Cyber Security Outlook, there is a growing mismatch between the cyber security skills needed by modern organisations, and the training available to employees​. This skills gap leaves organisations vulnerable to threats, particularly as attackers grow more adept at exploiting human error.

 

The Role of Continuous Improvement

So how do we address this problem? Both businesses and individuals who work in this space need to adopt a mindset of continuous learning and improvement. To begin, take an honest look at your workforce’s current capabilities, and make sure you’re taking a proactive approach to skills assessment.

Create robust processes to regularly evaluate the knowledge of your entire workforce, and consider using simulated attacks to help identify areas where additional training is needed.

For example, phishing attacks, which remain the most common type of cyber incident, often succeed because employees lack the skills to identify malicious emails. Upskilling your workforce in these areas can significantly reduce vulnerabilities and strengthen your organisation’s defences.

 

Recruiting Soft Skills

From a recruitment perspective, while acknowledging that technical skills are the right foundation, we believe it’s essential to also identify and hire for the right kinds of soft skills.

We’re looking for skills that support a growth mindset and facilitate a commitment to continuous improvement, especially for the people in your organisation who are responsible for your cyber security.

For example, when an issue arises you need your people to be able to think on their feet to assess risks, identify patterns and vulnerabilities, and quickly implement countermeasures.

The types of soft skills that are crucial in this scenario, and which we’d look out for in potential candidates, are:

  • Communication
  • Critical thinking
  • Problem solving
  • Adaptability

A high Emotional Intelligence (EQ) is also useful when it comes to handling high-stress situations calmly, and maintaining professionalism during crisis moments (such as a security breach or ransomware attack). EQ also helps in understanding team dynamics and managing relationships across departments. We look for these ‘softer’ skills in our sourcing here at Absolute IT, and recommend our clients do the same.

 

Creating Career Pathways

Attracting talented cyber security professionals is one challenge; retention is another. Given how competitive the market is, you don’t want to invest time and money into finding and developing great people, only for them leave.

We know it’s not always possible to pay the highest salary or offer benefits like flexible hours, but there are other ways you can positively impact retention.

For example, our mid-year IT Job Market Report – Update for Employers found that career development ranked as number three in our list of top non-financial benefits which Tech Professionals deem most valuable. By offering clear career pathways, you’re more likely to keep your talent engaged, motivated, and IN your business.

 

 

You could also consider supporting your people to gain cyber security certifications, such as Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager® (CISM®). This provides your employees with valuable, sought after opportunities for growth and development. Of course, as training in this space can quickly become outdated, it’s important to be fluid and flexible in the providers and programmes that you choose to offer.

Cross-departmental roles can also be a good option to consider, as they allow employees to take on cyber security responsibilities while continuing to work within their core areas of expertise. This not only helps develop a well-rounded workforce, but also demonstrates a commitment to employee development, which can improve retention rates.

 

Building the Right Culture

In order to stay ahead of threats, it’s crucial to build a culture where cyber security is incorporated into everyday business practices. Employees at all levels, not just those in IT, need to understand the importance of online security, from recognising phishing scams to implementing robust data protection measures.

We recognise that this can be challenging due to limited resources, but some practices don’t cost much or require a big, specialised team. For example:

  • Adopting up-to-date security measures, such as two-factor authentication and data encryption
  • Holding regular knowledge-sharing workshops with all staff
  • Making sure you keep up to date with cyber security certifications.

 

The Role of Leadership

Business leaders play a pivotal role in creating the right culture and ensuring organisations are set up to deal with potential cyber security threats.

The Global Cyber security Outlook 2024 emphasises the need for executives to prioritise cyber security, noting that businesses led by proactive cyber security advocates tend to perform better during security crises​.

However, with many Kiwi companies facing more palpable problems, like decreasing sales and reduced profits, it’s not surprising that cyber security often slips down the list of priorities – the murky threat of a hacker data breach doesn’t seem quite as real.

But senior leaders have a part to play in communicating that these attacks are real, and can threaten livelihoods and undo collective gains in an instant. For example, in the 2022 Optus data breach, a failure to update and patch critical vulnerabilities resulted in the exposure of customer data, costing the company significant reputational and financial damage​.

So how can business leaders avoid situations like this?

  • Ensure that cyber security is a key component of the organisation’s risk management strategy – regularly updating security policies, conducting audits, and investing in new technologies are all part of this process.
  • Support a commitment to continuous learning and improvement, in recognition of the constant changes in this area – attending industry training, staying informed of the latest threats, leveraging resources such as Cyber Smart Week, and supporting employees to learn and grow.

 

Tips for Employers

Assuming that attaining cyber-resilience is a concern for your business, what can you do as an employer? To summarise, here are some actionable steps:

  • Get it on the agenda: ensure that your leadership team prioritises cyber security and allocates resources where possible
  • Audit your people and systems: identify areas of weakness and vulnerabilities so that you know where to resource and improve
  • Foster a culture of security awareness and vigilance: make cyber security the responsibility of your entire workforce, and build this into your people framework, communicating regularly about security issues
  • Identify necessary soft skills: add these into the position profiles for your cyber security roles to ensure you’re recruiting for people who can continuously learn and improve
  • Invest in employee development: Offer cyber security certifications and learning opportunities, and identify career pathways for tech staff, to keep talent engaged and improve your team’s skills

 

Need Help Finding Talent?

We know it can be difficult to find great cyber security people, but we’ve already put in the time and energy to make things that little bit easier. Contact me today to discuss how we can help source skilled professionals ready to tackle tomorrow’s cyber security challenges.

 

Justin Kissling
Branch Manager
Justin Kissling enjoys understanding the impacts of new technologies in the market and following the trends across technology.