Cyberattacks are growing but the talent pool of defenders is not keeping pace, reveals a Nation Newsplex review of cybersecurity data.
Kenya has only 1,700 certified cybercrime professionals, too few to secure a population of close to 50 million in one of the most advanced countries in information and communication technology (ICT) on the continent, reveals a new report on cybercrime.
Figures from the Africa Cyber Security Report 2018 show that about two-thirds of companies will face a talent shortage of cybersecurity professionals.
“Most black-hat hackers (cybercriminals) are self-taught. We must have frameworks to change them to become white hats (ethical hackers) to help protect the system,” says Mr John Walubengo, an ICT lecturer at Multimedia University and a technology blogger.
This is so even as the country’s ICT prowess continues to be recognised beyond the boundaries. Just last week, Kenya raised its clout as a continental digital pacesetter when President Uhuru Kenyatta launched the country’s Digital Economy Blueprint at the Transform Africa Summit in Kigali, Rwanda, the first in Africa.
The summit brought together global and regional leaders from government, business and international organisations to chart a way forward for ICT development in Africa.
Besides coming up with the digital blueprint from which other African countries will hopefully learn how to modernise their economies, Kenya has also been selected to develop yet another template for a single digital market in Africa.
But all the accolades the country is attracting will be in vain if the cybersecurity skills gap is not fixed urgently, according to Mr William Makatiani, CEO of Serianu Limited, which released the Africa Cyber Security Report 2018 – Kenya. He estimates that with a population of 50 million, about 10,000 skilled cybersecurity professionals would be a good place to start.
“We have to acknowledge that security is a critical component of everything we are doing in technology. We can go out there and talk about the big things we are doing here but the hackers are listening and we end up being exposed in the short term,’’ he says.
The report was partly informed by a survey involving 300 IT and security professionals working in different sectors.
The country has, at the national level, many notable ICT innovations and applications used in commerce and governance, such as M-Pesa, the Integrated Financial Management Information System (IFMIS), National Integrated Identity Management System (NIIMS), better known as Huduma Namba, the student number system Nemis and the youth job search portal Ajira Digital.
This digital rush has seen the ICT sector output value grow by more than a half, from Sh259 billion in 2014 to Sh390.2 billion in 2018, according to the Economic Survey 2019. The value of additional ICT equipment also improved by more than a third in the four years, standing at Sh79.1 billion, up from Sh57.9 billion in 2014.
The rapid growth in investment in ICT has been complemented by the country’s learning institutions churning out the professionals required to keep up with the pace. About 15,300 students graduated with computer-related degrees, postgraduate courses and PhDs between 2012 and 2016, a much larger number than the sector can currently absorb.
The country ranks second in Africa in digital training, according to the Africa Digitization Maturity Report 2017 by Siemens. It is followed by Ethiopia, South Africa and Nigeria.
The President noted in Kigali that his administration had begun creating a pool of graduates skilled in ICT, who have so far played a role in developing the country’s NIIMS. This is not the first time young local talent has been engaged in a similar project. In 2017 Jomo Kenyatta University of Agriculture and Technology (JKUAT) was awarded the tender to deliver tablets for the government’s Digital Literacy programme. JKUAT also signed, in the same year, a Sh60 billion deal with the Kenya Private Schools Association for the manufacture and supply of about four million devices over a period of three years.
Not safe online
While Kenya’s digital might is not in doubt, the report suggests that there is an urgent need to secure the country’s investment in ICT.
Cyberthreats have gone up a great deal, according to the Communications Authority of Kenya data. Some 10.2 million threats were detected in the last three months of 2018, over 2,200 times the 4,589 recorded in the same period the previous year.
Last year, such security breaches led to the direct and indirect loss of more than Sh29.8 billion, according to the cybersecurity report.
Online security is not just a concern to corporations. The report finds that three in five people have been cybercrime victims at least once in the five years preceding the study. Of these, 57 percent of the cases were in the line of work, 39 percent at a personal level and seven percent in both capacities.
Two in five corporate respondents in the study cited loss of money as the leading impact of cyber-insecurity for their companies, the highest. It was also the number one setback for individuals (30 percent). Individuals were impacted more than corporates by inconvenience (27 percent against 17 percent) and psychological harm (21 percent against six percent).
Close to a quarter (23 percent) of the respondents cited auditing and risk management as the areas in which cybercrime is most apparent. Other highly vulnerable areas were incident response (22 percent), application assessment (18 percent) and security architecture and remediation (16 percent).
Plugging the hole
With the skills gap projected to persist in 2019 (three in five companies will face a talent shortage of cybersecurity professionals), it remains a wonder how there can be only a handful of online security experts from the thousands of students that graduate every year with computing-related degrees.
According to people Newsplex interviewed who are familiar with ICT training in Kenyan universities, curricular, socio-economic, structural and historical factors favour other areas of specialisation at the expense of cybersecurity.
They say that as a specialty, cybersecurity is rarely offered, or in some cases not even remotely covered, in the first degree. It is therefore left for postgraduate studies or specialised certification, such as Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM). Very few students pursue post-degree specialisation, because they are not encouraged to do so at the early stages, observes Mr John Walubengo, an ICT lecturer at Multimedia University and a technology blogger. “Those who choose to further their studies select areas they are already familiar with, such as database management, networking, system administration and software development,’’ he says.
Students who decide early enough that they will eventually specialise in online security are largely those from better-off families who get the opportunity to interact with computers at a young age and much earlier than the rest, says Dr Tobias Mwalili, chairman of the ICT department at JKUAT’s Nairobi CBD campus. “The fee requirement for one to obtain specialisation certificates in cybersecurity is also much higher than for other specialties, thereby further reducing the number of students who progress in that direction,’’ he adds.
Incidentally, cybersecurity does not attract as many partnerships and scholarships as other areas do. For example, last month Google announced that it will offer 30,000 scholarships and 1,000 grants to young African developers for the Google Associate Android, Mobile Web and Associate Cloud Engineer certifications, leaving out talent in cybersecurity.
Mr Walubengo observes that the field of cybersecurity has not provided many jobs in the past, a fact that students consider alongside the high cost of certification. “Traditionally it was mainly for the private sector. The current high demand is a recent thing brought about by the public sector continuing to automate rapidly,” he says.
A quarter of companies surveyed said they spent more than Sh1 million on cybersecurity last year, the majority being from the banking and financial sector. The report indicates that many companies are yet to allocate adequate funds to cybersecurity. Lack of sufficient security budgets is followed by the challenge in keeping abreast of threats and a shortage of qualified skilled IT security personnel.
It is projected that Kenya will spend Sh200 million on cybersecurity this year, same as last year, according to International Data Corporation (IDC). This is however only a tenth of what South Africa will part with.
While the discussion on the skills gap might give the impression that people well-schooled on cybersecurity hardly contribute to the country’s unemployment statistics, it turns out that talent and papers alone do not deliver the job. “Many potential employers cannot afford to gamble with security and therefore go for candidates with solid experience. It is actually quite a tough area for beginners,’’ says Dr Mwalili.
A quarter of organisations surveyed said they have had a challenge finding cybersecurity professionals with solid experience.
Mr Walubengo sees young talent outside formal education and employment as potential hackers who should be brought on board before they turn against the system. “Most black-hat hackers (cybercriminals) are self-taught. We must have frameworks to change them to become white hats (ethical hackers) to help protect the system,” he says.