The shortage of highly sophisticated cyber security skills is hampering SA’s ability to put measures in place to prevent and mitigate advanced threats.
There is a growing problem in information security, and it has been on the rise for years. It’s not only the increased frequency and sophistication of attacks, angry hacktivists, rogue nation states or even advanced strands of malware; it’s a huge deficit in the number of skills needed to fight these scourges.
Simply put, there are not enough cyber security practitioners in the world to meet the burgeoning need for better security among public and private sector organisations. This dearth of cyber security skills is only growing and intensifying as businesses become aware of their own vulnerabilities, particularly in the face of the slew of high-profile attacks that have made the headlines over the past few years.
South Africa is no different. The shortage of highly sophisticated cyber security skills is hampering SA’s ability to put measures in place to prevent and mitigate today’s advanced threats. What makes it worse is that competition for the skills that do exist is fierce.
Skills in demand
Cyber security is a highly complex and diverse arena, and different businesses need different skills to achieve their unique goals. Because of this, not all information security practitioners have, or need to have, all the relevant skills that would make up a security team, but some skills are in higher demand than others.
Mary Racter, security consultant at MWR Infosecurity, says even among technically skilled people, knowledge on adequately securing software infrastructure appears to be lacking. “In many software development processes, information security is not prioritised as a non-functional requirement, even when it may be essential.”
Prof Elmarie Biermann from the Cyber Security Institute, says cyber security professionals who really understand the environment, and who have the accompanying technical skills, are scarce. “The lack of targeted, cost-effective training that is developed and offered for the South African market is also playing a major role. Within the current economic environment, companies are spending even less on training. Most of the security training courses are offered by international organisations that are billing in US dollars, making it difficult for people to develop their cyber skills.”
Based on his organisation’s research, Craig Rosewarne, MD of Wolfpack Information Risk, says skills around critical information infrastructure protection are hugely lacking. “In addition, the biggest security skills gap, particularly in government, lies in technical security-type skills. They are doing the paperwork, they are writing the policy, but when it comes to hardening their environment and deploying the right security tools and measures, and closing any gaps, they are failing.”
“Seeing that cyber security are buzzwords in SA, we see a lot of companies and parastatals that are moving towards establishing dedicated cyber security departments or sections,” says Biermann. “People are then appointed or moved to these departments without the necessary background, training and skills.”
Dino Covotsos, CEO of Telspace Systems, says his organisation has noticed a lack of qualified and skilled people in many different areas. “Everything ranging from chief information security officers through to security analysts and penetration testers, there is a huge general shortage of skills in South Africa.”
Barriers to entry, lack of awareness
Racter says the deficit of information security professionals mirrors the overall deficit of skilled professionals in SA.
“There is a lack of information security awareness, as well as low cultural valuation for information security among both technical and non-technical communities, that translates into less market demand for security professionals.
“There will always be a demand for security assurance in larger companies that rely on software infrastructure to manage their capital, such as banks and Web hosts. However, demand is considerably lower in the sectors containing smaller businesses or businesses traditionally not assumed to have a large digital footprint, such as retail outlets, even when security assurance is required to protect their growing base of digitally-controlled assets.”
SA businesses that are in the position of marketing or convening information security resources should be mindful of the causes of the skill shortages so that their efforts can address them. “The information security skills shortage in SA is related to the broader IT skills shortage in the country. IT skills form the important groundwork to contextualise the necessity of information security.”
According to Racter, high barriers of entry to the IT and IT security sectors in SA include monetary and cultural accessibility. “Strong educational opportunities in IT topics often require person-level access to computer hardware, access to information infrastructure such as the Internet, and access to high-quality instruction. This cost barrier can prevent the majority of the population in SA from viewing IT as a viable option.”
Furthermore, Racter says, IT is currently presented as a male-dominated field. “There is a comparative lack of presence, inclusion and mentorship for women in the IT sector. There is also the perception that IT is 'technical’ and ‘mathematical’, and thus doesn’t appeal to women.”
Furthermore, in communities where the median education level is lower, support (such as knowledge-sharing for technical aspirations) is also much lower, says Racter. “These, combined with other factors, could help to exclude otherwise capable individuals who believe they don’t fit technical roles. Lack of relevance of information security in local communities could also discourage people from pursing information security topics, as they cannot contextualise how it affects their everyday lives.”
Another issue, adds Rosewarne, is that “skills are leaving the country, and we are not really developing or importing new skills.”
Rosewarne says there is a lack of awareness of the cyber security opportunity. “We need to let graduates know that cyber security is an exciting option.” Wolfpack Risk does talks in schools and other educational organisations to address this issue. “In addition, the organisation has run three graduate programmes that take on a small team of people, around 12, from 350 applicants. They come on board as interns, and learn new cyber security skills as well as soft skills.”
Investing in people, training
Rosewarne says people aren’t investing properly in cyber security training. “Skills assessments aren’t being done. South African companies are quick to spend millions on deploying technologies and a little bit more on putting procedures in place, but the actual skills aren’t there to monitor the technologies. Core skills just aren’t there. There is a total lack of investment in training and upskilling of people.”
He says public and private sector organisations need to raise awareness of these problems. “There’s an acknowledgement that there is a shortage, but we need government to establish a cyber skills academy. We’ve helped develop a standardised way for government to deal with cyber security. We are currently waiting for approval and adoption.”
Biermann believes training needs to be practical and has to add value to the organisation. “The cyber security environment in South Africa is different than, for example, in the US. Our high unemployment rate has a direct impact on our security systems, and we need to govern that accordingly. Training courses have to fit our environment. If the main objective of a course is to train a person to pass a multiple-choice exam, then we are missing the point. Evaluate your security team and address the skills shortages in a targeted manner.”
Local businesses need to grow and foster a cyber security culture, adds Biermann. “A cyber security strategy needs to be implemented and governed from board level. It’s vital to understand your own systems and security resources, to build your threat profile and map the required skills before embarking on enrolling for training programmes.”
A hands-on approach
Covotsos believes in order to address this shortage, businesses need to take a more hands-on approach to training, mentoring and internships.
“There are many information security workshops and courses out there that don’t provide the relevant value for candidates. Companies are taking advantage of the ‘cyber security’ boom, charging ridiculous amounts for training courses that don’t bring the right value. It is therefore imperative to do extensive research and background checks before signing up employees to these courses.”
Companies should also look at providing internships where possible, adds Covotsos, “to either up-skill potential employees or to at least provide some direction to people who are interested in information security as a career.” He says there are initiatives currently in place, like local information security conferences (such as ZaCon and Bsides Cape Town) that are either free or charged at a very low cost to attend. “Supporting initiatives such as these is a must.”
Businesses and government should also be supporting South African-owned companies that provide training initiatives and sponsor community-driven conferences to boost the local information security scene, says Covotsos.
In Racter’s opinion, addressing the skills shortage should include meaningful efforts to improve accessibility, raise the relevance of information security in a household context, and present information security topics in a way that is fun and easy to engage with.
What the experts are doing
Telspace, he says, is a team of expert penetration testers that provides each employee who joins the organisation with various training course options, including internationally recognised certifications.
“Each of our employees is therefore up-skilled on joining and has a path to becoming more senior. Telspace Systems also has an internship programme that has been quite successful so far,” adds Covotsos.
Telspace has also supported community conferences ZaCon and Bsides Cape Town; Covotsos assisted with the 2015 organisation of ZaCon in Johannesburg. “We try to encourage employees to attend these events or get involved in the community.”
Speaking of how the Cyber Security Institute handles the training and upskilling of its staff, Biermann says it evaluates teams and provides targeted training via short contact sessions and e-learning platforms to continuously test and improve skills. “Our training includes awareness programmes, cyber security (foundation, practical, and advanced levels), cyber investigations, cyber criminology, cyber governance, forensics and cyber warfare (offensive and defensive). We also manage skills levels and progress via digital badges.”