Technology

IBM’s Vaidyanathan Iyer on why organisations need to invest in a good cybersecurity culture

Cyber literacy and awareness are of great importance in the continuing struggle against bad actors and ransomware - but how do we tackle the threat and/or fix the issues?

Finding cybersecurity professionals for this role is essential, but given the way ransomware is running rampant, it is clear that this needs to be made a bigger priority - and for every employee.

Organisations are pursuing numerous ways to close the talent gap in both the short and long term – including new university programmes, technical and vocational programmes, apprenticeships, certifications, early education and government programmes, but it does not seem enough.

Frost & Sullivan predicts that the growing gap between available qualified cybersecurity professionals and unfulfilled positions will reach 1.8 million by 2022.

The fight against malicious cyber intent begins with professional expertise. It is imperative that companies make cybersecurity awareness, prevention, and practices a crucial part of their culture for the cyber battle to be won.

In an exclusive interaction with People Matters, Vaidyanathan R Iyer, chief of operations, IBM security command center, IBM Asia Pacific talks about the challenges organisations face in building a cybersecurity talent pool, what can they do to build cyber resilience and how IBM is meeting the cybersecurity skills gap.

Following are some excerpts.

Why must companies instill cybersecurity awareness, prevention, and practices as a culture?

Digitisation and digitalisation have led us to live in a connected world today where the weakest link is mostly the human connection. Cybersecurity has become a business and social imperative now and every person or entity that is connected to the organisation must now be cyber aware. In an organisation, cyber awareness should flow top down.

Awareness is best brought about by continuous training, exposure to common cyber threats, prevalent hacking attempts like phishing, swishing, OSINT (open-source intelligence), etc. It will also be important for all stakeholders to have a clear understanding of the risk factors to the business and what needs to be done to bring the business back on the rails in case of a cyber-attack. For this, advanced cyber range facilities can be used for continuous training and testing the play books.

How can firms build cyber resilience?

Firms can build cyber resilience when the cyber awareness pulsates through every aspect of the organisation - People, Processes and Technology. The concept that cybersecurity belongs to everyone must be instilled.

In addition to general cyber awareness, the employees should also be trained in domain specific cybersecurity skills. For example, an HR personnel who does online interviews should be trained on how to identify and handle deep fake situations. A developer should be trained in Secure DevOps. A Security Operations Centre (SOC) analyst should be trained in technical aspects of incident response while the PR & communications department should have enough cyber awareness to put out a calibrated response in case of a cyber incident.

Everyone should be encouraged to be a cyber superhero. Cyber hygiene, cyber correctness and agility should be rewarded. There can be a monthly Cyber Champion award to recognise special actions.

What skills should new cybersecurity professionals focus on?

It is interesting that often the discussions on skills needed are limited to technical skills. In today’s environment, cybersecurity skills also have the classification of non-technical.

Technical skills: This is dependent on the domain of one’s work. A developer should be skilled in Software Development Life Cycle (SDLC), string manipulation avoidance, SecDevOps, in addition to those requisite programming languages (ex: Python). Skills in open technologies, cloud platforms, and building a zero trust approach are also much needed. For future-facing technologies like quantum platform, the required cybersecurity skills include quantum encryption, decryption and quantum related security incident response techniques.

Non-technical skills: Communication skills and behavioural skills are very important and are often not considered in the core skill set of cybersecurity. Security professionals of an organisation are usually the first stop in managing a cyber incident. It is very important for them to have the right attitude and communication that instill confidence amongst the stakeholders in the event of an incident. They also need to be sensitive to the challenges of the business domain and must be trained in business risk factors in addition to the standard technical risk factors.

Why is it hard to build a cybersecurity talent pool?

Lack of adequate cyber skills is an individual, organisational and a global factor today. Formal education from academic institutions is just one aspect of this. As I mentioned previously, a cyber professional needs a myriad of skills in addition to pure technical skills. They also need cyber skills specific to the industry that they will be operating in such as healthcare, finance, Industry 4.0 etc.

In the last three years, the speed at which business transformation has progressed has put a premium on the demand for rightly skilled personnel. This has increased the volatility factor amongst the available skilled personnel. It is not practical today to have an organisation-specific cyber talent pool. The need of the hour, therefore, is to have business, academia, and government organisations take a collaborative and combined approach for creating a cybersecurity talent pool available for the next decade. This must be a concerted exercise and will also involve cross-national boundaries.

How can organisations meet the cybersecurity skills gap? How is IBM dealing with it?

IBM focuses on ‘Skills First’ hiring where we prioritise the right mix of in-demand skills over specific degrees when looking for talent to work in technology's fastest-growing areas. We call them ‘new collar’ employees. New collar does not preclude traditional education but augments and supplements it. One way that organisations can approach the cyber skills gap is to enable the new collar workers with required cyber skills.

IBM has a variety of programmes to enable new collar workers. There are apprenticeships which are learn-while-you-earn programmes, primarily for the freshers in the domain.

The IBM Tech re-entry programme encourages experienced professionals, including women, who have taken a break from their careers for a variety of reasons and helps them to restart their careers.

The IBM SkillsBuild initiative prepares young people with academic, technical, and professional skills for the next generation and bolsters their ongoing education. IBM has also launched new-collar professional certificates in cybersecurity with leading education service providers.

This article was first published in October 2022.

Browse more in: