By Rob Rashotte
October is designated for cybersecurity awareness, but guarding against cyberattacks is a 24/7 challenge. According to Fortinet’s 2023 Cybersecurity Skills Gap report, a majority of organizations (80%) experienced a cyberattack in the preceding 12 months, and almost half had a breach costing over $1 million.
The reason is apparent. Cybercriminals are more sophisticated, using new technologies and strategies to evolve and monetize attacks. Malicious actors also increasingly target critical infrastructure, services, and governments, with wide-ranging implications and increased risk to lives and livelihoods
Disrupting these criminal organizations requires understanding the risks, knowledge of effective preventative measures, and access to skilled professionals to implement the strategies and technologies to protect critical systems.
Understanding the risk
Cybercrime is big business. Criminal networks can now offer crime as a service supported by complex business structures. Understanding how these networks work helps defenders quantify risk. While no perfect measurement exists, the cybersecurity sector is working to understand the scope of the threat.
Recently Fortinet, Banco Santander, Microsoft, and PayPal launched The Cybercrime Atlas, a joint initiative providing industry, law enforcement, and government agencies visibility into cybercriminals’ ecosystems and infrastructure to help disrupt and dismantle these networks.
As cyberattacks increase in volume and impact, a World Economic Forum report shows most business and cybersecurity leaders (91%) believe a catastrophic cyber event could occur within the next two years. Protecting against attacks requires tracking how effective the actions designed to prevent or stop attacks are, helping identify best practices and evolve approaches.
Resources exist to help organizations, including the twice-yearly Global Threat Landscape report from Fortinet, IBM’s research into data breach costs, and Verizon’s Data Break Investigations Report. Each provides a regular check-in that enables the cybersecurity community to monitor trends.
At home, the Canadian Centre for Cyber Security and the RCMP released the Baseline Cyber Threat Assessment on Cybercrime. The assessment addresses the most significant cybercrime tactics, techniques and the nature of the global threat, focusing on implications for Canada.
As more reliable data becomes available, the cybersecurity community must establish standard definitions and ways to report cybercrime statistics. This consolidation will make uncovering insights easier for organizations taking defensive actions.
Filling the gap
Despite the intensifying threat landscape, a global cybersecurity skills gap exists, putting organizations, governments, and citizens at risk. According to Fortinet’s Skills Gap report, nearly 70 per cent of security leaders say their organizations face additional risks because of this shortage.
The problem is two-fold: The industry is changing at breakneck speed, requiring constant upskilling, and there aren’t enough qualified people to fill open roles. The most challenging positions to fill often focus on significant risk or growth areas like cloud security, security operations, network security, and threat and malware analysis.
The public, private and academic sectors must find new entrants into the cybersecurity field by tapping under-represented groups. At the same time, existing cybersecurity professionals will also need to upskill to manage organizational risk and adapt to new technologies and automation.
Organizations can begin to address the skills gap with readily available cybersecurity training and certification programs. Certification allows professionals to update their skills and stay ahead of the changing threat landscape. Programs like the Fortinet Training Institute’s Network Security Expert (NSE) Certification offer specialized training paths so professionals and employers can easily target specific gaps.
The Fortinet Training Institute focuses on expanding access to cybersecurity training to close the industry’s skills gap. Fortinet pledged to train a million people on cybersecurity before 2026, by leveraging its award-winning curriculum, working with academic partners, and increasing the number of trainers able to deliver its multi-level certification programs.
Fortinet also offers training for non-security and IT staff, an important investment given Fortinet’s latest Security Awareness and Training report found 56 per cent of organizational leaders believe their employees lack knowledge when it comes to cybersecurity awareness. One way to address this is by providing targeted training. For example, Fortinet offers an education-focused version of its Security Awareness and Training service to K-12 school districts to improve faculty and staff cybersecurity skills and reduce cyber risk. They recently expanded the program to Canada and will be providing free training in English and French to 300 school boards and 1,700 private schools across the country.
Closing the security gap requires a multi-faceted approach. The cybersecurity community must quantify the risk to understand the threat landscape better. It must also quantify threat responses to identify the best practices and most effective cyber-attack solutions. Success demands a focus on talent pool expansion and a commitment to upskilling and training. The rapid growth of criminal networks, the increasing sophistication of attacks, and even the impact of digital transformation can make it challenging. Yet organizations can reduce risk by using trusted training and certification programs to upskill staff and address the priority gaps within their security and networking teams.
Rob Rashotte is Vice President, Global Training & Technical Field Enablement at Fortinet