Three messages currently dominate the media on the topic of cybersecurity: the number of cyber-threats is increasing exponentially, the impact from these attacks is growing too, and organisations are ill-equipped to counter them. In regards to the final point, this is often attributed to a cybersecurity skills gap across the region. Whilst universities and professional training courses are trying to close this gap, the growing demand for cybersecurity skills suggests that the gap will likely remain.
Yet, there is one man who sees things differently. He is Dr Eric Cole, one of the world's leading cybersecurity experts and Faculty Fellow at the SANS Institute. He argues that whilst there is a gap, it's not necessarily a gap in tactical cybersecurity skills, such as vulnerability scanning and patching, the kind of skills which are most commonly taught on training courses; instead it's something more fundamental.
Dr Eric Cole
"From my perspective it's more of a gap in a consistent framework in what it actually means to be secure," posits Dr Cole. "I bet that if we grabbed five cybersecurity experts and asked them to give us a one sentence definition of a secure organisation, we would probably get five different answers, and this is something I'm really focused on. What we really need to win in cybersecurity are consistent metrics that give us the visibility on what the risks are in our organisations, and which risks are and are not acceptable."
That's where the problem lies. If cybersecurity experts themselves cannot agree upon a definition of what makes an organisation secure, how can an organisation's CEO or board level agree upon what is acceptable or not?
"What I see as I go around the world is that there are a lot of smart people that understand cybersecurity, but the problem is that most of their understanding is very tactical driven. To me, the big gap is how do you translate the technical, tactical language of security into strategic executive metrics that the CEO and the board of directors can understand in order to make the right decision. What a lot of people don't recognise is that if you are not getting the security budget, the training, or the resources you need, there's a simple explanation: the executives do not view that as a high priority."
Sign up for CIO Asia eNewsletters.