By Langithemba Mazibu

Langithemba Mazibu, Senior Manager for IT Analysis at the Information Regulator.

Since 2021, 1262 security compromises were reported to the Information Regulator of which 186 were cyber breaches with malicious intent. The implication of this being that in these security compromises, personal information of data subjects was unlawfully accessed. The causes of these security compromises range from zero-day attacks (vulnerabilities existing from the original equipment manufacturers, and unknown to the manufacturer until exploited) to weak passwords and neglecting the maintenance of existing security safeguards that were implemented in response to identified risks that had high probability of occurring and would have a high impact if they occurred.

Cyber security is a field that exist to thwart any attempt to unlawfully gain access to computer systems by implementing controls in response to risks identified either through risk assessment or vulnerability assessments and penetration testing. This means that there should be skilled individuals implementing and maintaining these controls.

There is a global shortage in information security skills, although it has become a field of study that has become popular in recent years, the ageing workforce in this field should be a cause for concern as the new incoming workforce don’t have the necessary experience. 

In a recent Information Systems Audit and Control Association (ISACA) report on “State of Cybersecurity 2023: Global Update on Workforce Efforts, Resources and Cyberoperations,” 53% of the workforce was found to be between the ages of 45 and 65, 43% of the workforce was found to be between the ages of 25 to 44, with less than 1% being between the ages of 18 and 24 years. 

Considering that the need for these skills will only grow, the current push to have cybersecurity added to the basic education curriculum could increase the uptake of this career field, with an added benefit of early adoption by this envisaged workforce.

There are different approaches that I have observed when it comes to the governance of information security. Some organisations have taken information security away from the domain of the Chief Information Officer (CIO), which is the traditional model where the information security function is a subset of IT and adopted the Chief Information Security Officer (CISO) role. This CISO role reports to the board of directors. The CISO leads a team of information security experts in the organisation. This team can then play an independent role in the implementation of an information security program and are able to have a stronger voice in directing and monitoring how security measures are implemented by their IT colleagues.

The desire to be compliant by most responsible parties is evident, however, I have found that often, security safeguards adopted by these responsible parties only look good on paper. The implementation and maintenance of these controls is a different story. This points to the use of outsourced information security expertise by many responsible parties. Don’t kill me just yet. Outsourcing the security function to external service providers when the necessary skills are hard to come by becomes the best option.

However, it is important to note the other side of the coin when it comes to outsourcing information security skills. The greater the use of an external contractor, the greater the risk due to the increased exposure. This simply implies that more individuals will be interacting with your cybersecurity systems and control environment, and where there are humans involved, the risk of one of them becoming future threats exists. 

Jon Brandt of ISACA, during the webinar where the report was presented, emphasised the importance of having some internal baseline skill within the organisation. He made a bold suggestion to relook the fixed retirement age for cyber security professionals.

Considering the rapid advancement of the technology in use, and the ever-expanding threat landscape, the shortage in skills is set to continue. The State of Cyber Security Report also considered the inexplicable decline in onboarding security experts. This is attributed to lower-than-normal investment in staffing. South Africa is not immune to this issue. Recently the government introduced cost cutting measures as a response to the lower tax revenue collections. This will have a severe impact on the state institutions who want to strengthen their cyber security skill set.

Government departments and entities have become a target for cyber criminals. The inability to acquire the necessary skills may have a cascading effect in that these attacks will not only continue, but the success rate may also increase.

It is worth taking another look at all levels in the cyber security workforce and determining what kind of skills are required for each level in the hierarchy. Is it necessary for senior management to possess intricate technical cyber security skills? Chris Parkerson of Adobe believes that at the top management level, soft skills like critical thinking and problem solving are very important.

They also need to be knowledgeable about the regulatory frameworks that govern information security implemented within the organisation. The hardcore skills in performing red and blue team operations are then left to the security engineers who plan, implement, and maintain the security controls required to mitigate known threats and identified risks to the confidentiality, integrity, and availability (CIA) of security systems. This is called the CIA triad and is the cornerstone of information security programs.

Such decisions are made at the high level, and having the CISO in the decision-making process is beneficial. This kind of strategy, while not being a panacea to the skills challenge, can go a long way in easing the effects of smaller information security teams. There will be expertise needed to develop the security program, as well as the individuals internally to implement and maintain the security controls that are implemented.

If organisations start being cognisant of the importance of having baseline cyber security skills and embrace their responsibility of protecting the personal information of data subjects, I have no doubt that there will be a decrease in the number of security compromises, especially those that should never have happened in the first place.