We won't win the online security war without people power

It’s estimated that two-thirds of people online – more than 2 billion individuals – have had their personal information stolen or compromised, and a business falls victim to a ransomware attack every 40 seconds. The threats are changing constantly, and there’s an acceleration in the production of new attacks, especially those that regularly evolve to evade security controls that can’t keep up. The Emotet malware, for example, changed the links or attachments being used to deliver the virus up to 24 times a day. And 99% of malware is used for less than one minute.

Faced with such a range of threats, it’s easy to focus on technology investment. Firewalls, anti-virus, malware detection, DDoS protection and every other kind of technology to try to prevent a potential breach.

In the face of a rapidly changing threat landscape, security teams can be overwhelmed by the volume of data being picked up by a raft of security monitoring tools.

But a tool is nothing without the analyst sat in front of it. By drawing out abnormalities based on intelligence, analysts can then examine the threats, understand them and move quickly to mitigate risks.

That’s not to say that investing in IT security isn’t important. But the escalation in cybersecurity threats has created an unprecedented need for individuals with skills, talent and experience. Indeed, there will be a global shortfall of 3.5 million cybersecurity jobs by 2021.

There are three areas where organizations can help develop the necessary skills:

1. Security awareness

Security is becoming more personal, with organizations starting to understand the bigger role that individual employees must play in helping to strengthen their organization’s cybersecurity.

People are often the weakest link in the security chain: clicking that all-too-tempting prize-winning hyperlink on an email, leaving the fire-exit propped open for the pizza to be delivered during a night shift or revealing trade secrets to your fellow passengers during the journey home.

A lot of managers still struggle to “sell” the benefits of security training by failing to bring the consequences of a cyberattack to life. We continue to see people told to attend awareness courses without any engagement or real understanding of why it matters to them.

But that doesn’t make awareness programmes redundant. By making security awareness everybody’s job, you can often not only help protect your organization, but also your employee’s home life and that of their families and children, too.

By rewarding good behaviours, investing in people, training them and creating processes that change how they behave on an ongoing basis, your employees can be your biggest security asset.

2. Grassroots education

As we face a significant skills shortage in the future, it’s vital that together we help create the next generation of cyber defenders now.

From supporting National Cyber Security Awareness Month, the annual campaign to raise awareness about the importance of cybersecurity, to offering secondary schools free cybersecurity lesson plans or talks from security experts, organizations can provide structured ways of helping to attract more skilled workers into the security industry.

There are also opportunities such as Cyber Security Challenge UK, a series of national competitions, learning programmes and networking initiatives designed to identify, inspire and enable more people to become cybersecurity professionals.

Apprenticeships are also a fantastic way to overcome the skills gap. The results aren’t immediate, but with time, apprenticeships provide you with a steady influx of skilled, educated and specifically trained security workers.

3. Retaining skilled staff

A massive 97% of organizations have concerns about security skills, and two-thirds have trouble retaining the security staff they do have.

So once you have recruited skilled individuals, how do you keep them interested?

Those who have the right skills often command significant salaries, pricing them out of the market for all but the top organizations. Security experts want exciting opportunities and to work on stretching and pioneering assignments. They can get bored easily and need new experiences to keep them keen, so sometimes money isn’t the only factor in retention.

One of the ways to retain skilled staff is through development plans, specially designed to help them succeed in their job and make progress in their career. Offer them internal coaching, external training and practical support.

You can also make sure your security experts, especially "ethical attackers", those who attack your own defences to identify weaknesses, have the time to be creative. By giving them time to come up with new ideas of how they’d target you, you can then mitigate the risks and protect yourself.

Security isn’t just about technology. It’s also about the people, partnerships, intelligence and expertise you need to stay one step ahead in the security race.

By putting people at the heart of protecting what matters most, you can stay ahead of the changing threat landscape.