By Gregory Hale
One of the most well-known facts about industrial control system cybersecurity is there is a serious lack of qualified experts to fill vital roles at manufacturing enterprises.

While almost every sector from banking to medical to IT can say they need qualified cyber professionals to help keep their systems up and running and safe from any marauding intruders, manufacturing needs highly skilled workers to take care of the basic tenants of security, but they must also ensure hazardous processes maintain a level of safety.

“The talent gap is probably the biggest challenge for organizations looking to really implement and maintain their security controls,” said Dee Kimata, Director of Cybersecurity Solutions and Services at Schneider Electric. “There is a substantial increase in digital or networked assets, which increases cybersecurity risk, and there are threat actors that are working 24/7 to try and exploit vulnerabilities in these new digital environments. According to ICS2, there was an average of 3.4 million cybersecurity open positions globally last year with over 700K of those jobs in the U.S. alone. I think these are daunting statistics that show how big this challenge is.”

With all those open positions, daunting is the key word there.

With digitalization continuing to thrive with more organizations stamping out a stronger digital footprint, it means connectivity is rising which adds to the possibility of a larger attack surface for threat actors to breach a system.

OT Expertise Needed
Along those lines, a manufacturing environment is not just an IT space where anyone can go in and apply a security solution, it is a specialized area that needs operational technology (OT) expertise and experience.

“The idea that cybersecurity degrees or formal training for cybersecurity is relatively new,” Kimata said. “That means there are limited amount of people that really have these qualifications. A lot of this is learned on the job, especially when hiring for expertise.”

The process of finding the right person or team with expertise and then retaining them is one thing, the challenge of securing the manufacturing enterprise against cyber threats remains the core mission.

Schneider Bold

“I think people are such a critical part of the overall company’s security posture,” Kimata said. “We always hear about people, process and technology, so without balancing that equation from an overall kind of digital standpoint, there’s a huge gap. And the same is true for managing the overall security posture as it relates to cybersecurity. That means cybersecurity awareness should be baked into any organization. Security incidents are often started by human errors. Whether they click on a phishing link, whether they connect to insecure networks, weak passwords, et cetera, all of those are, I would say, human errors that decrease the overall security posture. In every standard you’ll see an emphasis on creating cybersecurity programs and processes, and they are also people focused. One of the good markers of a company that manages security well is not just the people that manage cybersecurity, but also the awareness for everyone within that organization so they understand cybersecurity principles and they act in a manner that’s secure.”

Cost, Time Retaining Cyber Talent
For any organization that is either at the beginning stage of a cybersecurity program or well along the journey, the idea of constantly dealing with a revolving door of security personnel leaving and then having to train new workers once you find them can take up serious time and expense. Add in the cost of operating your own security operations center (SOC) that can take serious time and multiple millions of dollars to fund. That is why more companies are looking at Managed Security Services (MSS) as an answer to the cybersecurity talent gap.

“Managed Security Services provide cybersecurity specialists who are dedicated and trained to identify and respond to cybersecurity risks,” Kimata said. “And due to the nature of those organizations, they recruit, hire, and maintain cybersecurity talent. That is all they do. One thing that is unique about a managed service provider is because they handle multiple clients, they’re able to fill what would be downtime or what makes having those cybersecurity professionals in-house really expensive. They have this top talent working with multiple different projects, assignments, which means they’re utilized well, and they have processes and the technology stack in place to maintain infrastructure on behalf of organizations. They take the burden off creating a SOC or a security organization in-house that may not be as utilized as much as they could be or could be expensive.”

That means a Managed Security Service Provider (MSSP) can offer a series of workers with different areas of expertise – networking, incident response or deep technical knowledge amongst others – to throw at a problem.

MSSP Pipeline of Expertise
“The mission statement of these Managed Services is to provide the best security. They focus on that. They’re looking at the best technology solutions,” Kimata said. “They are training their resources; they’re building a pipeline of expertise. That focus, and the investment that they’re able to make really creates organizations that security is their purpose, it’s the only thing that they do. And then they’re able to allocate the required resources to a particular end user. Sometimes that requires eyes on screen, so some basic services, and sometimes it’s access to some of those complex skills where data correlation is happening, or an incident is identified so immediate remediation work and hands-on support is required. Not only do they have those specialized skills, but managed service providers can provide coverage 24/7.”

Another well-known fact today is risk continues to increase at a steep rate, and training security professionals is going to take a substantial amount of time. To fill this gap, one of the best ways to do it is through shared resources.

“Everyone is gearing up essentially to address the talent gap,” Kimata said. “Defining a talent pipeline is still very important, we can never get around that, but I also think cost sharing through Managed Security Service Providers is going to expedite the process to implement cybersecurity across organizations.”

Looking Outside the Box to Find Cybersecurity Talent

Finding qualified cybersecurity talent in the OT sector traditionally comes from people showing an aptitude and moving into a role at a company or from college degrees focusing on cybersecurity, but with millions of jobs open across the world, there needs to be a new way of finding solid cybersecurity talent.

“I think the traditional model for recruitment is tough because you’re looking for expertise and there’s a very small talent pool to work with,” said Dee Kimata, Director of Cybersecurity Solutions and Services at Schneider Electric. “Instead of focusing on those traditional markers for what makes a good cybersecurity professional, identifying the desired characteristics in people and then training them up is the way to go. These traits include the ability to prioritize under stressful situations, and show demonstrated technical aptitude. You also need someone that understands computer basics, networking, confidence in decision-making and critical situations, and then being solution driven and resourceful. This idea of non-traditional talent, let’s say military personnel that have had a career prior to wanting to get into cybersecurity, could be great candidates. I think they fall into this bucket.

“I also think that there are organizations that have recognized this and specifically focus on targeting military personnel that have that aptitude and technical career path. Maybe look at upskilling professions like firefighters, that sort of thing, and then women and other under-recognized groups in cybersecurity,” Kimata said. “The key is with hiring that non-traditional talent, there needs to be a period of training, some formal training on the job, and then an expectation for there to be a learning curve. I think the only way to address the cybersecurity talent gap is to leverage this non-traditional talent.”


Pin It on Pinterest

Share This