City Security Management & Cybersecurity Skills Gap

The lack of qualified cybersecurity professionals has become a concern for leaders around the world. In an ever-changing workplace, it is clear that companies need to restructure hiring criteria and embed diversity, skills transfer, and training.

The 2022 Cybersecurity skills gap report from Fortinet shows that 64% of organizations worldwide have experienced security breaches and have linked 80% of them to the cybersecurity skills gap.

I recently explored this topic in an interview with Russell Weir, the Chief Technology Officer and Deputy CIO of the City of Newcastle – Australia. Russell and I also discussed the security management challenges faced by today’s cities.

For Russell Weir, giving people technology training and focusing on transferable skills is the way to bridge the skills gap in the cybersecurity market.

However, he also pointed out that with the rising tide of security threats, there needs to be a balance between investing in training of junior security professionals and adequately remunerating senior and more qualified team members. Organizations are under constant threat and compounding on-the-job training, daily security operations and cyber security up-skilling can be a risky move for organizations as burnout and mental health issues within cyber security is a real challenge across the industry and need to be considered.

In parallel, there is much educational work to be restructured in terms of Human Resources and recruitment. “It is common to see job advertisements for entry level cyber security roles that ask for certifications such as the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) where 3 to 5 years of experience is needed to be able to qualify for getting this certification”.

Therefore, taking both aspects into account, a good starting point would be to tap into the market with a high compliance space, e.g., military and service personnel who have a high knowledge of threat actors and defense, and help them translate their skills into a technical landscape.

Security Management for the City

The management of city security involves numerous complexities and essential elements to keep it safe, such as critical infrastructure protection, physical security, and network security. This presents a great challenge for the professional responsible managing it.

According to Russell, protecting a city is the same as protecting a large organization. Within the City of Newcastle, we have more than seventy thousand rate payers, thriving businesses and tourists that rely on the technology and services we provide. As a city we are consistently looking at ways to improve the customer experience and leverage technology and innovation to ensure we are a livable, sustainable, and inclusive global city.

In terms of managing legislative and regulatory requirements, Russell stressed the importance of identifying the areas within the city that should be compliant and understanding all of the critical assets. “Look over absolutely everything, and understand, where have I got valuable information? What are the critical services and assets? And from there, work backwards to see what mitigating controls I need to implement to ensure we are meeting the organization’s risk appetite and optimizing cost where possible.”

When it comes to education, Russell stated that there is a considerable way to go, not only in educating citizens but also employees within organizations. He suggested improved terms and conditions as a key element to help end-users understand the value of their data and their responsibility towards it while increasing general awareness.

Finally, when it comes to security innovation, a major step forward will be the automation of the GRC and compliance processes. They will give teams more time to work on up-skilling around the technical areas and incident response readiness within the organization.