Three Approaches to Overcome OT’s Cyber Skills Gap

Three Approaches to Overcome OT’s Cyber Skills Gap
Three Approaches to Overcome OT’s Cyber Skills Gap

It’s common knowledge that the fusion of OT and IT has given rise to a fresh attack surface for OT environments. As network settings continue to shift away from closed to open systems, industrial facility and other OT leaders in a global survey reported a 20% increase in system incursions from the year before.
Although many industries suffer from a major cybersecurity skills gap, OT is acutely impacted because IT skills in general are often lacking in this sector. To fill this gap, organizations need a stronger approach to training and cyber hygiene.

The skills gap and its impact on cyber-attacks

The worldwide cybersecurity workforce must increase by 65%, according to the 2021 (ISC)2 Cyber Workforce Report, in order to properly secure enterprises’ crucial assets. Although there has been progress—in the past year, the number of experts needed to close the gap has decreased from 3.12 million to 2.72 million—it is obvious that there is still a significant talent deficit.
Organizations around the world are finding it challenging to protect their critical digital assets because their security teams are understaffed or lack more senior-level professionals. The organizations surveyed in Fortinet's 2022 Cybersecurity Skills Gap Report said that the shortage of cybersecurity professionals has played a role in 80% of the breaches that have occurred.
Three ways to help close this gap are by expanding security training, reskilling and looking beyond “traditional” talent pools.

Implementing expanded training

Though security teams unquestionably play a pivotal role in safeguarding an enterprise's digital assets, everyone today–regardless of their position within the organization–is responsible for cybersecurity. While it’s true that employees should serve as a powerful first line of defense, this is only achievable if they are knowledgeable about and skilled in spotting the techniques attackers are using. It follows, then, that it’s essential for all employees to take part in ongoing cybersecurity awareness programs.

Not all training programs are created equal, so choose carefully. Significant training should be provided to all staff members on how to spot and report questionable online activity, including phishing emails. In about 50% of ransomware attacks, criminals use social engineering methods like phishing. Maintaining training for your staff on these attacks will help prevent them from falling for the trap, especially as attackers continue to improve their techniques.
Unfortunately, this type of education is not a “one and done” activity, since cybercriminals are endlessly creative and innovative. Training needs to be done on a periodic basis so that everyone knows the latest tricks and tactics to watch out for.

Reskilling is key

In light of the cyber skills gaps, retaining the security talent you have on staff should be a top priority. Giving your employees regular opportunities to learn new skills or improve their current skills can strongly influence retention. Data demonstrates the value of ongoing training programs for security staff; 95% of the organizations surveyed attested to the benefits of technology-focused certifications.

You can also look within your ranks to identify employees who have an interest in gaining more security skills but who don’t currently work on the security team.  

Expanding beyond traditional talent pools 

Expanding your search beyond the standard talent pools that you use when recruiting IT specialists is a significant additional factor. Men outnumber women in cybersecurity by a ratio of three to one, according to (ISC)2's Women in Cybersecurity report. These two issues can be solved in parallel; increasing the number of women working in the industry can help, to some extent, with the skill gap.

Women, former service members, students and other underrepresented groups are just a few of the talent pools that can be a great help to cybersecurity teams and close the skills gap. Many organizations are already making efforts to create greater diversity in their teams, according to a recent poll. For instance, 89% of businesses worldwide have specific diversity goals in their employment strategy. They report that they have official initiatives in place to increase the number of women (75%), minorities (59%) and veterans (51%) they hire.

As The Great Resignation has demonstrated, now is a great time to find job seekers interested in switching careers or at least learning new skills. Almost 25% of individuals reported their desire to look for a new job (very or somewhat likely) in the next six months, as reported by the Pew Research Center. Include this group in your recruiting efforts.

New strategy for a safer OT environment

The cybersecurity skills gap is having a strong impact across all sectors, but it’s especially problematic in the OT space. No matter their position in an organization, everyone is responsible for cybersecurity–but they can’t play their part without proper training. Implementing an ongoing cyber hygiene and awareness program plays an important part in helping the security team fulfill its mandate.
Organizations also need to reskill some of their employees who show an interest in learning or augmenting cybersecurity skills–a “recruiting from within” strategy. And rethinking recruiting strategies toward including traditionally overlooked talent pools will also help your organization fill all open security team slots. This will strengthen your security posture and can lead to greater job satisfaction and retention, too.

About The Author

Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing and life Sciences.

Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.

Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker and veteran.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..