SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Why existing employees could be the key to closing the cybersecurity skills gap
Wed, 13th Sep 2023

In a rapidly digitising world, where Malware-as-a-Service (MaaS) and ransomware attacks are escalating, the need for cybersecurity expertise has never been more important. While companies and boards scramble to recruit top-tier cybersecurity talent, many overlook an untapped reservoir of potential: existing employees. These professionals, already attuned to an organisation’s culture and objectives, could become its next line of cybersecurity defence with the right upskilling and reskilling initiatives.

A business’s cybersecurity defence is only as strong as its weakest link, and companies can no longer afford to ignore the untapped potential of its existing workforce. Upskilling is not just an option; it’s an essential solution.

Boards have rightfully become more engaged in discussions about cybersecurity, largely driven by fiduciary responsibilities concerning risk management. Their growing involvement is reflected in the increased allocation of budgets for cybersecurity measures, including personnel hiring. However, while the inclination may be to hire externally, boards should also advocate for and financially support strong internal training programs. Upskilling existing employees offers a faster and potentially more cost-effective strategy to close the skills gap.

There are immediate advantages to upskilling an existing workforce for cybersecurity roles. Employees with a history at the organisation already understand its core values, objectives, and internal processes. As a result, the orientation phase is significantly shortened. Additionally, reskilling opportunities often result in greater job satisfaction and employee retention, converting into long-term gains for the business.

Studies consistently show that investing in employee development not only increases retention but also enhances productivity. A skilled internal workforce in cybersecurity becomes a long-term asset, effectively neutralising some of the risks that companies face today.

There are four steps organisations can take to implement a reskilling and upskilling strategy:

1. Identify talent pools: locate the departments within the business that have basic skills or interests that could be further developed into critical cybersecurity competencies.
2. Curate curricula: partner with educational institutions and cybersecurity providers or take advantage of high-quality online courses tailored to bridge the cybersecurity skills gap.
3. Pilot programs: before rolling out training company-wide, conduct pilot programs to gauge effectiveness and make necessary adjustments.
4. Continued learning: cybersecurity is an ever-evolving field. Continued education is crucial and should include periodic recertification or advanced courses.

Upskilling shouldn’t be limited to just the IT department. A well-rounded cybersecurity strategy calls for an organisation-wide understanding of basic principles: a workforce that can recognise and respond to threats offers an additional layer of protection that is often underestimated. Everyone should at least be educated about phishing attacks, social engineering, and other basic cybersecurity concepts.

By ignoring the potential of existing employees, businesses risk both the safety of their digital assets and missing the opportunity to create a more engaged, loyal, and capable workforce. This means it’s time to stop viewing cybersecurity as a specialist skill set possessed by only a select few; it’s everyone’s job. For that, both comprehensive and role-specific training is not only advisable, it’s indispensable for any company.

As cyber threats continue to target organisations of all sizes, focusing only on external recruitment is a limited strategy. Businesses must look inward and upskill and reskill existing employees to address the skills gap, enhance employee satisfaction, and bolster the company’s cybersecurity posture. It’s a strategy that forward-thinking boards and executives can’t afford to ignore to keep their networks safe.