Every 39 seconds, a cyber attack occurs somewhere in the world. More than one and a half million adults are victims of cybercrime every day; and only in Spain, there are 40,000 daily attacks. The digital transformation of society, accelerated by the pandemic, has caused an exponential increase in the exchange and storage of data and the contracting of all kinds of services over the Internet, but also in threats that can seriously affect the integrity of a company or even of any citizen in the development of his private life. “We live in a digitized world where the possibilities of access to information have multiplied. The number of connected devices continues to grow and, in fact, we spend more time in front of the mobile phone than on TV… The Internet is another extension of our lives, but many users are not aware that precautions must be taken when maximum”, says Hervé Lambert, global manager of operations with customers at Panda Security.
“The question is not if a person or a company will be affected, but rather when,” says Éléna Poincet, CEO of Tehtris, “and the threats are increasingly complex and growing.” Developers, cybersecurity and artificial intelligence engineers, cybersecurity architects, Big Data analysts… The need for professionals is evident and, however, so is the lack of specialized professionals in this sector, who are not able to meet the demands From the market. According to him Analysis and Diagnosis of Talent in Cybersecurity in Spain prepared by the National Observatory of Technology and Society (ONTSI) and the National Institute of Cybersecurity (INCIBE), in 2021 there were in Spain a total of 149,774 workers dedicated to cybersecurity and a talent gap of more than 24,000 jobs, while in By 2024 it is estimated that the demand for employment will grow to exceed 83,000 additional professionals.
Are Spaniards prepared to face these threats? Half. On the one hand, at a global level, Spain is one of the countries most committed to cybersecurity, according to the fourth position in the world in the ranking produced by the International Telecommunication Union. But the results change depending on the mirror in which we look at them. “The situation has improved, although not everyone is going at the same speed. If large companies are aware and there are many training plans, the situation is very different when it comes to SMEs and home users”, explains Lambert. “Small companies are especially interesting for cybercriminals due to cybersecurity gaps that allow them to steal and hijack data. Around 60% of attacks in the corporate world target small companies.”
Home users, on the other hand, seem conscientious about their personal computers, but they do not protect their data as much when it comes to other types of devices. “If we massively use new technologies, we need a component of awareness and good practices, which is still common sense. Some rules that we all have clear when we talk about the physical world, but not so much when we go to the digital environment”, says Sara García, head of Cybersecurity Talent at INCIBE. “Many times it is about calming down and saying: “Come on, if something that normally costs €50 is being offered to me elsewhere for €20… maybe there is something behind it that is not what they say, right? not?”. In case of doubt, companies and private citizens can make free use of any of the the tools that INCIBE puts at your disposal: the 017 helpline, the Internet Security Office and Safe Internet for Kids (IS4K), to help minors and more senior citizens to broaden their basic knowledge of cybersecurity.
What are the main threats?
If more data is needed to understand the growing magnitude of the problem posed by cybercrime, this is enough: 1,384 personal data records are stolen every minute in the world. The tools used by hackers to attack companies and individuals come in all sizes and colors, and some specialists go so far as to say that, in 2022, there will be a hacking attack. ransomware every seven seconds. This threat (blocking user access to certain parts of their system in exchange for a ransom) was the top threat of 2021, with attacks increasing by more than 140% in the third quarter of the year alone. There are certain things that must be very clear: “A simple click can cause an attack from cyberspace, and people (the weakest link in the security chain) or companies must decide how to solve it so that their reputation is not compromised. A malicious file can be a key that, from the outside, someone will use to access all our information without us being able to do anything to avoid it”, says Lambert.
“More than 99% of cyberattacks depend on human interaction to be activated, and email is the most used threat vector because it simply works”, illustrates Nuria Andrés, cybersecurity strategist at Proofpoint in Spain and Portugal. . Although, she adds, the mail is not the only entrance of malware: “According to our research team, a huge increase in distribution attempts has been detected. malware for mobile in Europe, and since February we have seen an increase of 500%”, he adds. The most worrying thing is that it is currently capable of much more than stealing access credentials to different services, even recording telephone and non-telephone audio and video. However, “the biggest threat to the average user is from the famous phishing, messages that apparently come from a reliable source and that obtain access data to one of the user’s platforms”, says Jared Gil, CEO and founder of Nuclio Digital School.
The most demanded profiles
The digitization that has permeated all areas of society has meant that cybersecurity specialists must also be equally heterogeneous. “We have to remember that cybersecurity is not an exclusively technical career. It is a transversal discipline that is intermingled with others that historically were not digital”, says García. This leads the market to look for hybrid profiles with areas such as law (the entire legal perspective of the Internet, Internet crimes and data protection), health (aspects such as network addiction and cyberbullying) or even education (so that an educator knows the best way to manage elements such as social networks or WhatsApp groups of students).
Then, of course, there are the technical profiles, towards which most specialization master’s degrees are focused. “The most demanded professionals are those who have a strategic vision of global information management. Hence its specialization in what refers to architecture and security infrastructure”, says Gil. The core skills of a cybersecurity expert, he adds, “are those of hacker, essential for identifying complex security holes; forensic, to apply scientific investigation techniques to digital crimes; and as an architect, to apply all possible technologies”. Another of the most sought-after specialties, according to Lambert, is that of data analysts. bigdata, professionals who are capable of building mathematical models for the detection of anomalies; a more desirable profile in companies that require an advanced level of cyber protection or in companies that offer specific cybersecurity services. “Nearly two-thirds of the CISOS (chief information security officers) surveyed believe their companies are at risk of a major cyberattack in the next 12 months,” Andrés recalls.
Now, when it comes to training, how many specialties related to cybersecurity are there? The last catalog of regulated training in cybersecurity of INCIBE, as of November 2021, includes 84 master’s programs, three university majors, four bachelor’s degrees, and 30 VET majors (although there are many more). “In Spain there are so many master’s degrees because many of them are their own degrees, which depend on the university itself, they can change the syllabus in a more agile way and easily include professors from industry”, explains García. The problem, she points out, is that few of these trainings focus on a certain profile, but instead offer them more generalized knowledge through different subjects, and the ability to self-study remains key.
“We are aware that the world of academia and industry have to be connected. That is to say, that what I study is something that the market demands”, reflects García. To solve it, INCIBE, together with the National Cybersecurity Forum and ENISA (the European Union Agency for Cybersecurity), are working in a common competence framework in which, for the time being, 12 cybersecurity profiles necessary for the company have been established: the CISO (Chief Information Security Officer), responsible for cybersecurity in a company; the incident manager; the legal profile; the threat specialist; the cybersecurity architect; the auditor; the one who educates (who raises awareness both within a company and with regard to citizenship); the solution implementer; the investigator; the one who does risk analysis; the coroner and the penetration tester. “These 12 profiles encompass practically all the needs of the labor market and provide a common language so that the academy, on the one hand, can begin to define training programs based on these profiles, and that the company can define the vacant positions”.
A common framework that will also affect future higher degrees and specializations in Vocational Training. The current lack of professionals means that “today, both those who come from FP and from the university are going to occupy relevant positions, resolve incidents and climb the labor pyramid without a problem,” says García. “But when we already have complete cycles of cybersecurity in FP, master’s degrees and degrees, the difference will be what there should be in all careers: Much more operational and functional Professional Training, which would enter company hierarchies a little more at the base; and university graduates with, presumably, greater management skills”.
The ONTSI-INCIBE analysis, presented in the past Mobile World Congress 2022 of Barcelona, also made reference to the gender gap in the world of cybersecurity. A deficit that is already reflected in the university stage, in which only 18% of graduates specializing in this subject are women, and that extends to all STEM disciplines (Science, Technology, Engineering and Mathematics, for its acronym). in English).
Subscribe to the newsletter of Training of EL PAÍS