More needs to be done if we are to ‘shift the dial’ in addressing the local cybersecurity skills shortage as well as the shortage of digital-savvy leaders for the next decade and the future world of work
The pace of digitalisation and the growth of e-commerce and online activity gained further momentum globally during the pandemic. According to the United Nations Conference on Trade and Development, as lockdowns became the new normal, businesses and consumers increasingly ‘went digital’, providing and purchasing more goods and services online and raising e-commerce’s share of global retail trade from 14% in 2019 to about 17% in 2020.
These developments have increased the pressure on organisations to fundamentally review and alter their business models, warranting significant levels of investment in digital and Information Technology (IT) capabilities, automation of processes, and creation of online platforms and channels to engage with customers.
While digital technologies deliver benefits to organisations they also create potential risks and threats. The volume of electronic data and information generated by organisations nowadays is staggering. The ability to monetise data means that company and customer data are considered valuable assets in the digital economy.
Large data holders like banks, insurance companies, online sales platforms and social media platforms, state entities and others are repositories of high volumes of consumer personal information and as such have become the prime targets of fraudsters and hackers. This is evidenced by the number and sophistication of attacks on IT infrastructure, ransomware attacks and other forms of data theft that have become more ubiquitous since the start of the pandemic. A recent example is the cyber-attack on Transnet’s port operating system on 22 July which caused severe disruption to its operations and forced it to declare force majeure at its container terminals.
Following the implementation of the POPI Act (effective 1 July 2020), companies are now being monitored by customers (who are more aware of their rights with regard to the handling of their personal information), regulators and public interest organisations on how well they protect their own information as well as the data of their customers and third parties they engage with. Failure to do so can severely damage brand equity and shareholder value.
Furthermore, the increasing interconnectedness of organisations globally in the digital environment means that an organisation’s cybersecurity risk extends beyond the organisation itself (specifically, beyond the security and resilience of its systems, networks, and the protection of its data and information). Organisations have to ensure that their exposure to third-party risk is effectively managed through appropriate internal control mechanisms.
It is clear that cybersecurity risk shouldn’t be underestimated and continues to grow in importance for organisations. Equally importantly, cybersecurity governance remains a critical priority for companies’ boards of directors and executive management teams. Having appropriate cybersecurity expertise at management and board level is now an acute need and a business imperative for the appropriate management of cybersecurity risk including anticipating future threats and staying ahead of them.
MIT’s 2019 research which focused on the boards of US-listed companies indicates that companies with ‘digitally savvy boards’, as defined in the survey, outperformed others by at least 34% on key metrics such as return on assets, revenue growth, and market capitalisation growth. Digital savvy is defined in the survey as ‘an understanding, tested by experience, of how digital technologies such as social, mobile, analytics, cloud and the Internet of Things, will impact how companies will succeed in the next decade’.
MIT’s 2020 research which focused on the top management teams of a sample of US-listed companies indicates that companies with ‘digitally savvy top management teams’, as defined in the survey, had 49% higher growth, 16% higher margin, and 53% higher company valuation than the rest. Digital savvy is defined in the survey as ‘an understanding, developed through experience and education, of the impact that emerging technologies will have on businesses’ success of the next decade’.
A recent Heidrick and Struggles survey highlighted the shortage of cybersecurity risk expertise on the boards of the listed companies internationally, for example in the US and Europe but also in South Africa, which fares worse in comparison. The dearth of cybersecurity skills and the demand for these skills in the market makes it difficult for companies to attract and retain top cybersecurity talent, especially at leadership level, leaving many companies without the required skills and experience to deal with fast-evolving and increasingly more sophisticated cybersecurity threats.
In South Africa, professional skills are often sought from abroad to fill the most senior and specialist cybersecurity roles, but while it provides cover in the short term, it is not a sustainable solution. Not only does hiring expatriates − especially specialist expatriates − come at a significant financial cost, and in many instances with fixed-term contracts, it also has the potential to create human resource challenges that organisations need to be aware of and anticipate. The successful integration of expatriates into organisations requires agility to adapt to new cultural and social demands and this can be challenging for them as well as the teams they’ve been brought in to lead. Failure to do so may impact negatively on team cohesion, engagement levels and morale of both parties and ultimately lead to dysfunctional teams.
At board level, in the short term, one of the ways to develop this expertise is to expand board recruitment from the traditional competencies like audit, risk and compliance to include digital and cyber expertise where these skills are available in the market. Boards should also be encouraged to upskill through self-learning and crafted board training programmes, as well as through regular formal and informal engagement with organisations’ chief security officers and chief information officers to discuss for example, existing and emerging digital threats and opportunities and new and emerging technologies and what the implications are for the organisation.
However, the strategic solution is to develop the skills locally by investing in cybersecurity awareness initiatives, education, practical training and the creation of centres of excellence. This will require investment and will take time but in the long term, this is the best solution. The added benefit is the ability to eventually ‘export’ South African professionals from local centres of excellence who would showcase the calibre of talent and potential that exists in South Africa.
So, how do we get there?
Using the analogy of the construction of a house, it starts with a solid foundation. Let’s begin by raising public awareness of the importance of cybersecurity skills for the integrity and brand equity of the South African financial market system and for confidence in the broader business environment. This should be followed by promoting the awareness of and interest in career opportunities in the cybersecurity industry at school and tertiary institution level, as well as within organisations, so that existing employees are made aware of cross-skilling opportunities that are available to them.
Additionally, consideration should be given to the following initiatives, among others:
- Defining school and university curriculums that support the development of specialist talent with the appropriate certification, qualifications and practical training. To this end, it is encouraging that SAICA’s CA2025 Competency Framework includes among several crucial enabling competencies (as defined in the framework) ‘digital acumen: cyber security’ as a key competency outcome that accredited universities will have to consider when designing their future graduate and postgraduate accounting curricula. It represents an important first step towards formalising digital skills training as part of the CA(SA) qualification.
- Encouraging organisations and businesses to recruit from local talent pools.
- Implementing mechanisms to enable the transfer of knowledge and skills from expatriate employees to local teams to develop their skills and competencies.
- Curated career development mechanisms implemented by organisations − including management and leadership training as well as growth opportunities − that would provide their cybersecurity employees with meaningful career paths and cross-skilling opportunities and equip them for future senior executive management and board roles.
This will go a long way towards providing a sustainable solution to addressing the cybersecurity skills gap. It will also help organisations build and retain an engaged and loyal pool of talent. Some local organisations with the wherewithal to do so, like the banks and insurance companies, are already investing in their own learning academies that are beginning to show results, but more needs to be done across other sectors and industries.
References
1 United Nations Conference on Trade and Development, How COVID-19 triggered the digital and e-commerce turning point, March 2021.
2 MIT, Companies with a digitally savvy board perform better, 2019.
3 MIT, Companies with a digitally savvy top management team perform better, 2020.
4 Rob Rose, JSE execs no match for the hackers, Financial Mail, 19 August 2021.
AUTHOR
Zameera Ally, CA(SA). Audit, Finance and Risk Proffesional
I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.