The cybersecurity skills gap is a familiar foe for the industry’s professionals, and the UAE – already dealing with a limited workforce – has been hit particularly hard.
The recent ‘Who Secures The UAE’ report found that the majority of participants in the project had just one or two people at their company working specifically in cybersecurity, with under a third saying their organisation’s infosec team had more than 5 members.
For comparison, 33% of participants in the European version of the project reported that their organisation had more than 20 people working in cybersecurity.
Short-staffed security teams, even if equipped with budget to buy technological fixes, will inevitably struggle. A report by PwC (PDF) warned of the dangers of attempting to buy ‘a technological ‘fix’’ for cybersecurity issues rather than investing in awareness and training. Humans are the weakest link in an organisation’s security posture, and while technological safeguards can go some way towards protecting against human error, they cannot fully compensate for adequate staffing.
Many UAE-based companies have attempted to address the problem by ‘poaching’ cybersecurity talent from other companies, but in many cases that turns out to be a short term fix. The 2016 Hays Salary & Employment report (PDF) noted that more than half of the GCC-based IT professionals they surveyed reported intending to change employer within the year. Almost a third said they intended to leave within the next 6 months. Many were leaving not just the company but the region altogether, with increasing numbers of GCC-based IT professionals being attracted away to the UK, America and Asia in particular.
Given that 76% of participants said they had only joined the company that year, that turnover rate is incredibly high – and therefore incredibly costly. Hiring is in itself an expensive process, and leaving that aside, time is money. During the transitional period when an employee is replaced, and the training process when new employees have to familiarise themselves with the company’s systems, hardware and software, and of course how the business operates, there is a great deal of inefficiency.
Even leaving all that aside, the demands on the time of understaffed IT and information security teams mean there is little time for them to keep up-to-date with new developments on top of all their other work – and in a field which changes as rapidly as cybersecurity, that is potentially a huge problem.
To address these problems, many organisations are turning to external providers for training. That includes security awareness training for all employees, upskilling and software-specific training for existing IT and information security staff, and even retraining existing employees, including non-IT staff, as cybersecurity experts.
Participants in the ‘Who Secures The UAE’ research project named PGI the most effective cybersecurity training provider, with the SANS Institute as a runner-up.
The full report can be found here, and features fascinating insights from PGI’s experience with reskilling programmes in Europe and the Gulf region.