Bridging the Expertise Gap: Enhancing Cybersecurity Skills in Compliance Professionals

In the complex world of compliance, professionals deal with many responsibilities that go well beyond just cybersecurity.  Compliance can encompass areas such as financial regulations, anti-money laundering practices, and safety standards, each requiring its own set of specialized skills; however, a fundamental understanding of cybersecurity principles becomes essential when the focus shifts to cybersecurity compliance.

Unfortunately, many compliance professionals have only basic or novice skills in technology, which is a crucial area of understanding.

Dilki Rathnayake, the managing editor of Information Security Buzz, spoke to Jay Trinckes, CISO of Thoropass, to discuss the reasons behind this skills gap, the role of automation in bridging it, successful collaboration initiatives, and strategies for continuous learning and development in cybersecurity compliance.

The Skills Gap in Cybersecurity Compliance

He says compliance professionals typically possess a broad skill set tailored to their specific roles, which might not always intersect with cybersecurity. For instance, a compliance officer might excel in ensuring adherence to financial regulations or safety standards, but their expertise might not extend deeply into cybersecurity.

When dealing with cybersecurity compliance, professionals are expected to possess a foundational grasp of how various components of a system within a digital network interact and how technical security controls function. For instance, Trinckes says a cybersecurity auditor should be able to answer fundamental questions about how two computers (or systems) communicate with each other within (or as part of) a network. Without a basic understanding of what is being audited an auditor’s job becomes more difficult. 

Advanced knowledge is crucial for conducting effective cybersecurity audits, as it ensures cybersecurity audits are accurate and free from significant errors or omissions. Without the cybersecurity auditor having basic knowledge and ensuring the cybersecurity auditor has more advanced ‘technical’ knowledge, the value of a cybersecurity audit can be severely compromised or come into question.

Leveraging Automation to Bridge the Expertise Gap

“Automation technology has revolutionized many aspects of compliance, offering significant benefits for technical testing and data analysis. Automated tools can streamline processes, identify potential issues, and generate reports quickly. However, while automation can aid auditors, it does not replace the need for a skilled, competent cybersecurity auditor,” he adds.

Trinckes explains that the challenge with automation lies in interpreting the results accurately. Automated reports may include false positives or false negatives, and understanding the context around these results requires a nuanced knowledge of both the technology and the specific compliance requirements.

For instance, a control may require a review to be performed on firewall configurations.  An auditee could easily indicate or demonstrate they reviewed the firewall configuration report; however, without knowing how the network is designed, a cybersecurity auditor would be unable to question why certain rules are configured.  Without this knowledge, an auditor may ‘pass’ a client on the audit even though there is a rule permitting all ports to be opened to all systems without any restrictions, causing a severe security violation.  Thus, while automation can enhance efficiency, it is crucial to have auditors who can contextualize and validate automated findings effectively.

Successful Collaboration Initiatives

Effective collaboration between auditors and auditees is pivotal for improving compliance expertise and ensuring smooth audit processes. When auditors have a comprehensive understanding of the auditee’s environment, they can conduct more effective and efficient audits. This understanding helps build trust and reduces wasted time spent on irrelevant or redundant inquiries.

According to him, successful collaboration involves clear communication, mutual respect, and a shared goal of achieving compliance objectives. When auditors and auditees work together transparently, the audit process becomes more streamlined and less prone to misunderstandings or conflicts. This collaborative approach enhances the overall quality and reliability of the compliance process.

Supporting Continuous Learning and Development

He says organizations must prioritize continuous learning and development for their teams to address the skills gap in cybersecurity compliance. Training programs should focus not only on theoretical knowledge but also on practical, hands-on experience. Understanding the technology behind security controls and solutions is essential for effectively meeting compliance objectives.

Trinckes says auditing firms can support this development through establishment of apprenticeship programs where more experienced cybersecurity compliance professionals train up the next generation putting brand new auditors through their paces in order to develop their skills by:

• Providing Hands-On Training: Practical experience with cybersecurity tools and technologies is crucial for developing a deep understanding of how they work and how they contribute to compliance.
• Encouraging Technical Backgrounds: Professionals with a technical background may find it easier to grasp compliance nuances than those with purely compliance-focused expertise.
• Offering Expert Training: Learning from cybersecurity experts can provide valuable insights and advanced knowledge.
• Mentorship and Practice: Seeking mentors and practicing skills in lab environments can enhance technical proficiency and confidence.
• Understanding Technical Documents: Reading and interpreting technical documents, such as network diagrams, is essential for effective compliance work. (Housing contractors can’t build a house without reading and understanding a blueprint.)

Advice for Compliance Professionals

For compliance professionals aiming to enhance their cybersecurity expertise, he offers the following advice:

• Commit to Lifelong Learning: Embrace a mindset of continuous education and stay updated on the latest developments in technology.
• Engage in Expert Training: Participate in training sessions led by cybersecurity experts to gain advanced knowledge and practical skills.
• Seek Mentorship: Find experienced mentors who can provide guidance, share insights, and help navigate complex cybersecurity challenges.
• Practice Technical Skills: Build and work in lab environments to gain hands-on experience and apply theoretical knowledge.
• Understand Context: Don’t rely solely on automation. Develop the ability to understand the context of automated results and assess their relevance accurately.

By following these strategies, compliance professionals can bridge the expertise gap in cybersecurity and enhance their effectiveness in managing cybersecurity compliance, Trinckes concludes.