Regarding specialists in the field of Cybersecurity, and securing companies from cyberattacks – says Adam Galach, President of Galach Consulting

How does a deficit in IT personnel affect cybersecurity in enterprises?

The answer is very simple – negatively.  The problem is definitely much more complex. Not every organization can allow itself to hire and keep cybersecurity specialists who deal exclusively with cybersecurity. In cases of large organizations that create positions or entire departments dedicated to dealing with this growing problem, is slowly becoming the new norm, regarding smaller businesses when it comes to dealing with protection from cyberattacks rests with IT personnel and especially with all the systems administrators. Therefore it would be beneficial if these personnel would possess the proper competences and had time to deal with securing the information technology systems. In practice, unfortunately, there is a lack in both competences. It may seem that in readily available access to materials, ones free of charge included, dedicated to the challenges of cybersecurity, building competences in this field, should not be a problem, although, through our observations point to a whole different scenario.

With securing information technology systems is in some respects like with insurance. Appears to be unnecessary until an unfortunate incident occurs. Unfortunately, I have a feeling that the problem with cybersecurity in smaller organizations is dealt with in a similar matter, example being, press agencies reporting on attacks, sometimes even on local government offices.

In summary – the optimal solution is employing personnel dedicated to dealing with security of an organization before cyberattacks. If however this is not possible – whether it is because of budget issues, or because of lack of suitable candidates – these responsibilities should be laid upon the administrators.

An alternative or additional solution could be taking advantage of outside support – whether it be in the range of administering a part of those duties related to Cybersecurity management or with the aim to advise or oversee actions undertaken by the administrators.

In recent years we have a surge in proposed courses and trainings that serve purpose to educate and retrain personnel, whom have never before had any previous experience with IT. Various kinds of programming schools promise courses, whilst tempting with eventual high paying jobs in the market. According to you, persons that have completed these types of courses, possess proper knowledge and competences to work as cybersecurity specialists?

It is difficult to give a substantial and satisfying answer to this question, because courses and schools vary greatly. In my opinion, it is worth noting fact that possessing basic knowledge, without which it is hard to become a specialist. I could not possibly imagine how one could undertake information technology systems security without knowledge of even basic operating systems functionality or web protocols. It is boring, a lot more interesting would of course be activing a hacking program to get into a system to attack it. In effect we have tools for person who know how to use them in testing security systems, who think they know which key or button to press. As I have mentioned earlier – I do not want to generalize, but I’m weary that we will come across this type of situation more often than not.

I would also like to mention the problem of mistaking a Cybersecurity specialist  with a PenTester. Of course, conducting a penetrating test that checks the durability of digital infrastructure for attempted attacks is no doubt important, but more important, from the perspective of the organization wanting to protect its systems, to have on board somebody that knows how to implement protection, how to detect symptoms of an attack and finally, how to deal with an incident. If the course envelops only attack methods, then we will not come across this topic during a course.

In that case, what competences should a specialist have in the field of cybersecurity? Are there any must-have conditions, thanks to which we know that the person in question is really legitimate specialist, and not some fraud?

Depends on what this specialists tasks would be. A consultant would have different requirements from someone who does security tests, others may have to monitor systems and detect any eventual attack attempts, and a specialist that verifies the security of codes created for a program would have even more differentiated responsibilities – luck would have it, there is a whole range of certificates that verify accumulated knowledge, which in order to attain there is a mandatory exam and documented professional experience. Probably the most wide-ranging, covering multiple security facets – beginning with security management, through broad concept of information technology security and closing out on securing buildings and spaces –  this is the so called CISSP (Certified Information Systems Security Professional). It is worth looking into certificates like ISACA, such as CISA (Certified Information Systems Auditor) or CRISC (Certified in Risk and Information Systems Control). There is also a wide range of special certificates, that deal with specific branches of cybersecurity, which a specialist should possess, adequate to tasks which they will have assigned to them. In our company we make sure that consultants, along with growth in their competences, pass branch exams that result in them attaining these certificates.

Employing a specialist in Cybersecurity you have to pay attention to the professional career path of the potential employee, however, one’s career path can at times be deceiving. I have personally come across situations where persons working in positions whose titles pointed to more substantial experience in problematics of security of information technology systems, at the very least, had very little to do with it.

To conclude – it would be good if the candidate possessed experience in a company related to the one conducting the recruitment process –  both in scale of the organization and industry in which it operates. The same can be applied to a situation in which we decide to take advantage of companies that specialize in problematics in cybersecurity –  which in practice can be a simpler, quicker – and generally –  a cheaper alternative.

Adam Galach – is the creator, co-founder and president of the board at Galach Consulting S.C. Subjects dealing with information technology safety have been his profession for over 25 years. Before the founding of Galach Consulting in 2004, worked at a global corporation, where he directed the international program for building of a competence centre in the field of cybersecurity. Along with his team he realized projects for government and local authorities, and firms representing a wide spectrum of economy sectors – from banks and financial institutions, through different service companies, to a broad concept of industrial. Possesses recognized industry certificates, is the author of a range of books and articles dedicated to problematics in information security and cybersecurity management. He has a soft spot for weights – in his free time he trains powerlifting.

Last Updated on August 24, 2022 by Anastazja Lach