End-to-end security solutions firm Sophos has openly called on security professionals to join the company as the need for talent in cybersecurity is significantly growing. As more and more organizations undergo and expand their digital transformation efforts, concerns on data security are becoming a priority.

Tony Young, CIO, of Sophos, visited the Philippines recently in search of skilled professionals — developers and QA — as the security company believes that “the future of security is ingrained in software” and they would be needing the skills to support this.

In 2018, research firm Gartner Inc. released the results of a survey that indicated that only 65% of organizations have residents cybersecurity experts. Considering the increasing number of data breaches and cyberattacks in recent years, this figure is hardly encouraging.

A career in cybersecurity should be a viable choice for people — the young and old — who want to explore and engage in the technology industry.

“Cybersecurity is an especially scarce skill because many universities historically did not have the curriculum,” Young said. “Cybersecurity is often a field people just fall into, which has also exacerbated the talent shortage for cybersecurity. In reality, we are seeing an acceleration of malicious behavior, all requiring cyber professionals. Unfortunately, the rate of acceleration is faster than the development of new professionals.”

Young, however, believes that this mindset is now starting to change.

Have you read “Sophos shares tips to avoid phishing scams”?

Over-invest in cybersecurity

While cybersecurity is still way below the set of organizations’ budget allocation, according to some reports, it is getting more attention now than before.

“As a CIO, I look at my spend for IT and cybersecurity as a percentage of revenue,” Young said. “If I were the CIO in the Philippines, I would over-invest in cybersecurity. All too often, cybersecurity is under-budgeted until a breach occurs.”

Citing a recent survey of businesses in the Asia Pacific and Japan, which found that 24% of organizations in the Philippines said they’d been breached with incidences of phishing, malware, and ransomware the major causes, Young pointed out that the number could be greater than recorded as there may be unreported cases.

Security has evolved from part of an IT person’s job description into a full-fledged job title. Young attributes this to the continued digital transformation which requires organizations to migrate to the cloud and cloud is where most of the security issues happen.

“So now you need to have cloud skills, software skills, threat hunting skills – skills you didn’t need five to 12 years ago,” he said.

However, Young said having a dedicated cybersecurity professional depends on the size of the organization as well as the nature of the business or the industry it belongs to.

“In general, I want about 12%-15% of my IT spend (to be) spent on cybersecurity,” Young said. “You need to make sure you have that plus the right staffing levels to support that level of spend.”

He added that organizations “must think about several factors, not just as simple metric of how many to have in IT, but what is the risk profile of the organization, what is the right investment it needs to do for the shareholders, and the right investment it needs to do for the public at large.”

Career in cybersecurity

Young said the company wants people who have a genuine passion for cybersecurity — or people who don’t need convincing.

“Sophos will tailor a learning path for them to identify the skills they’ll need to succeed in that career often starting with smaller projects and mentoring,” Young said. “Nonetheless, we do believe cybersecurity is a part of everyone’s job. So, for example, we ensure all of our developers are educated in secure coding practices. In essence, we are training everyone to be a cybersecurity professional as a part of their job.”

The threat landscape is evolving all the time, according to Young.

“One of the key elements for planning for the future of security is to improve the whole organizational culture in relation to cybersecurity awareness and this comes from the board and senior management down,” he said. “Our security team has done a phenomenal job building a strong model for presenting cybersecurity to a board or an executive team. This model ensures the executive understands the investment required and will, therefore, make the appropriate risk-based decisions to protect the organization.”

With this outlook, the need for skilled professionals who have specialization in information and cyber security is expected to increase. Cloud migration, the Internet of Things, artificial intelligence, and other emerging technologies, while designed to make life much easier than before, also open up a world for cybercriminals to exploit. The sea of connected devices is seen to increase exponentially especially with the adoption of 5G technology. With all these developments, the foreseeable future also opens up opportunities for technology professionals, aspiring or seasoned, to specialize in a particular discipline.