Q&A: Tackling the cyber skills gap

March 2025  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2025 Issue

FW discusses the cyber skills gap with Jonathan Adessky at McCarthy Tetrault, William E. Ridgway at Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates, and Daron Hartvigsen at StoneTurn.

FW: Could you provide an overview of the cyber security threats facing companies today? To what extent has this become a critical issue for companies?

Adessky: External threat actors continue to bypass security controls to access companies’ data through a multitude of attack strategies, including ransomware and social engineering. Insider threats, while often overlooked by companies, also pose a significant threat to a company’s cyber security. In some cases, employees may be intentional participants in theft of company data. In other cases, employees might unintentionally invite an external threat actor into the company’s systems by misusing the authorised technology or using unauthorised technology – often referred to as ‘shadow IT’. These threats have become critical issues for companies. Cyber incidents occur more frequently, as companies adopt diverse technologies and become exposed to more vulnerabilities. They are more effective than in the past, given the increased sophistication and resourcefulness of threat actors. And they are also more costly, considering the regulatory costs of a data breach and how disastrous it can be for a company’s IT systems.

Hartvigsen: 2024 proved that the cyber security landscape continues to be rife with ‘business as usual’ risks while, at the same time, ushering in complex challenges related to emerging threats such as artificial intelligence (AI). What is more, it has become a hybrid environment where organisations must focus on the fundamentals while maintaining specialty cyber protections around their material, digital assets against a constantly changing landscape. Companies must maintain basic cyber security best practices while being ready for those advanced threats, as 2025 is likely to see the continuation of advancements for many financially motivated criminals in terms of tactics, ability and overarching goals. Indeed, the rapid advancement of AI technology combined with volatile geopolitical events, ongoing conflict in multiple world hotspots, political uncertainty and even political change in the West are likely to fuel aggressive cyber activity from criminals, nation states and disrupters the world over.

Ridgway: Companies today face myriad cyber security threats, including ransomware attacks, data breaches and cyber attacks from nation state actors and other advanced persistent threats. The sophistication of the threat landscape has grown recently as AI is now routinely leveraged by threat actors to automate attacks and bypass traditional security measures. The risks have only escalated as businesses become more digital and interconnected, raising the stakes of any attack and its impact on the broader market. The financial, reputational and operational fallout from these cyber threats underscore the urgent need for governance, incident planning and investment in robust cyber defences.

2024 proved that the cyber security landscape continues to be rife with ‘business as usual’ risks while, at the same time, ushering in complex challenges related to emerging threats such as artificial intelligence (AI).
— Daron Hartvigsen

FW: To what extent are companies suffering from a gap in cyber skills? How would you characterise the size and nature of this gap?

Hartvigsen: The cyber security workforce now is much more advanced and, in general terms, academia is producing very capable cyber security practitioners compared to just a few years ago. A key issue is that an organisation’s technology footprint is often more expansive than it can protect, rather than it not having the right talent. Having advocated for the advancement of cyber security education for many years, since 2008 I can attest to the idea that the workforce being produced from academia is in a much stronger spot now. However, many companies as well as public sector entities still feel pressure related to talent demand, depth of experience needs and the ever-evolving skills requirements as technology advances. Additionally, on the ground experience and job training remains critical to training the next generation of leaders.

Ridgway: The cyber skills gap continues to be a significant challenge for companies, with many struggling to find qualified professionals to fill essential roles in threat analysis, incident response and security architecture. Industry reports suggest that the size of this gap is substantial and that the shortage of cyber security professionals numbers in the millions. This shortage hampers companies’ abilities to effectively protect their digital assets and respond to emerging threats.

Adessky: The gap in cyber skills varies tremendously across companies, which typically fall into one of three groups. First, companies whose workforce possesses no cyber skills. Second, companies that have a cyber security subject matter expert (SME), such as a chief information security officer (CISO), but whose other employees lack any meaningful cyber skills or knowledge. And third, companies that have cyber SMEs and whose other employees have a robust foundational grasp of cyber security skills tailored to their specific roles. Most companies fall somewhere between the latter two categories, and the disparity is driven by factors such as the company’s culture of compliance, or lack thereof, whether the company has suffered a significant cyber incident in the past, and whether the company operates in a regulated industry that prioritises cyber preparedness.

FW: What are some of the factors driving the shortage in cyber skills? Could you highlight any partnerships or initiatives being taken to expand the cyber security workforce?

Adessky: Several factors contribute to the shortage in cyber skills. A major challenge for companies is for their employees to keep current with the constantly evolving risk landscape. In particular, companies are struggling to fully understand the cyber risks inherent in now widely adopted generative AI (GenAI) tools. Another challenge is that demand for highly skilled cyber security professionals outpaces supply, as virtually all industries become increasingly reliant on digitalisation. To help fill this gap, the federal government of Canada launched five innovation superclusters in 2018 which have started investing nearly $2bn over a 10-year period. These superclusters, each of which addresses a unique gap in Canada’s innovation ecosystem, have streams dedicated to equipping Canadians with skills in cyber security and related fields. 

Ridgway: Several factors contribute to the cyber skills shortage, including rapid technological advancements, a lack of awareness about cyber security careers and insufficient training programmes. Recent regulatory actions against cyber security professionals, such as in the SolarWinds action, have exacerbated this issue by sending a message to cyber security leaders that they may be blamed for any perceived shortcomings. Initiatives to address this gap include partnerships between academia and industry, government-led training programmes and corporate-sponsored certifications.

Hartvigsen: The rapid advancement of technological innovations, such as AI and the cloud, makes it hard for both academia and those in the workforce to keep up. It is hard enough to deploy new technology, but we also need to go beyond that to understand risks and the controls that will counter threats to people and systems. Threat actors tend to accelerate change in cyber security by pushing forward and exploiting victims in new ways that bypass security efforts. As such, there is a cycle of training needed to keep up with technology and the threat actors who exploit it. Many companies now invest in training for users, security practitioners and senior executives, which serves to raise the bar culturally. As for partnerships, there are really good examples out there. Specifically, I have great admiration for what the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and Microsoft are doing with free online education, security information and threat intelligence.

Failing to address a cyber security skills gap can lead to two major risks: greater exposure to cyber security incidents and less effective incident detection.
— Jonathan Adessky

FW: What are the key risks for companies that fail to bridge their cyber security skills gap?

Ridgway: Companies that fail to bridge their cyber security skills gap face many risks, including increased vulnerability to cyber attacks and regulatory enforcement actions. An example is the Federal Trade Commission’s enforcement action against Drizly, an online marketplace, which faulted the company for having failed to hire a senior executive to oversee the company’s data security. These risks highlight the importance of investing in cyber security talent and resources.

Hartvigsen: We often see companies that do not have the right talent in the right place and at the right time fall prey to cyber threat actors. Failure to invest in talent and maintain and develop employees’ skills often costs more in the end with incident response, mitigation and remediation efforts. An organisation’s people are its greatest strength and its greatest vulnerability. The insider, whether knowingly or unwittingly, can cause serious vulnerabilities. As cyber security incident responders, we often see root causation of incidents point to an employee or group who were not adequately trained, resourced or overseen by trained and competent leaders.

Adessky: Failing to address a cyber security skills gap can lead to two major risks: greater exposure to cyber security incidents and less effective incident detection. The exposure increase is driven by the fact that the human element remains crucial in preventing incidents. Employee vigilance is critical to preventing phishing attacks which are often used by threat actors to obtain the employee’s credentials and laterally move around the network. Employees should also be trained on the authorised uses of company technology, which includes the prohibition of downloading unsanctioned applications on company endpoints which might contain malware. The human element is also critically important in detecting incidents. Employees with even basic cyber security awareness training are more inclined to abide by the ‘see something, say something’ principle.

FW: In the event of a cyber security incident, how important is it for companies, particularly those lacking appropriate cyber security skills or awareness, to have a robust response plan in place?

Hartvigsen: A robust response plan is not going to be of much use if the people implementing that plan lack cyber security skills or awareness, especially in a crisis when things may move at breakneck speed. It does not make much sense to do one without the other. In order to execute a plan, people must be trained in the proper skills and protocols. It is very important for companies to have a robust, current and actionable incident response plan in place, and it is equally important to have a workforce with the skills to implement and follow that plan. This is especially important for companies in regulated industries, since many regulators are looking for a trained and capable response when a cyber security event occurs.

Adessky: It is important and very useful for every company to have a robust incident response (IR) plan. The initial response to an incident can happen at lightning speed and could have many simultaneous moving pieces. Staying organised and coordinated is key to braving through what could feel like chaos in the early stages of response, and an IR plan does exactly that: it ensures that the right people do the right things at the right time. A well-crafted IR plan will identify external resources to call upon when an incident occurs, such as a breach coach, the company’s cyber insurer and preferred IR providers. This is particularly important for companies that lack sufficient internal resources to handle components of the IR process, such as technical expertise to contain the incident. A strong IR plan can also set out a strategy to help the company preserve privilege, which is incredibly important considering the potentially litigious nature of data breaches.

Ridgway: Having a robust response plan is crucial, particularly for companies that need third-party resources to supplement their internal cyber security expertise. Such a plan ensures that organisations can quickly and effectively respond to incidents and engage appropriate experts like a forensic firm and cyber counsel. It also helps in maintaining customer trust and compliance with regulatory requirements. A well-prepared response plan includes clear protocols, designated response teams and tabletop exercises to ensure readiness.

While closing the cyber skills gap remains a challenge, ongoing efforts in education, training and industry collaboration provide a pathway to building resilient digital operations.
— William E. Ridgway

FW: What steps can companies take to address the cyber skills gap within their organisations? What essential advice would you offer on cultivating a pipeline of cyber talent for the future?

Ridgway: To address the cyber skills gap, companies can invest in continuous training and development programmes, foster partnerships with educational institutions and offer career pathways for cyber security professionals. Building a pipeline of future talent involves engaging with students early, offering internships and supporting cyber security competitions and clubs.

Adessky: Addressing cyber skills gaps starts at the top. Companies should appoint a seasoned individual, either from within their ranks or an external consultant, to oversee their cyber security efforts. Often, this role is given to a CISO. The CISO should be given access to the company’s leadership, allocated a budget commensurate with the organisation’s IT footprint and sector-specific risks, and granted reasonable operational autonomy. The CISO should assess if the company possesses the requisite personnel to effectively mitigate cyber risks. Staffing gaps can be filled by hiring resources or by outsourcing certain cyber security functions to qualified service providers. The CISO should also design a cyber security awareness programme that provides core knowledge to all employees and adds specialised content for specific roles. The programme design and implementation can also be outsourced, but it is important that the CISO remains accountable.

Hartvigsen: There are a great number of things companies can do to level up the cyber security skills of employees. A popular step is cross-functional training, whereby employees serving in different practices that have some cyber fundamentals, learn new skills. Companies often outsource to address skills gaps when they require assistance with incident response. This sort of outsourcing is more common than one may think, especially for emerging issues where experts are scarce. As for a pipeline for cyber talent, my favourite means of tapping into a source of talent is to partner with a university that has an excellent cyber security programme. There are ways to develop and identify talent early, such as internships, campus visits and professor engagement.

FW: How do you expect the cyber threat landscape to evolve in the months and years ahead? How confident are you that companies can close their cyber skills gaps and build resilient digital operations?

Adessky: Companies will likely increasingly feel the impact of cyber security incidents as threat actors grow in number and sophistication. Ransomware is expected to persist as a major threat. Ransomware threat actors are likely to continue using complex obfuscation techniques to more freely roam a victim’s IT network. Social engineering attacks, particularly phishing, are also likely to remain a prominent cyber threat confronting companies. Threat actors will almost certainly leverage GenAI capabilities to more convincingly deceive their targets in the coming years or to perform reconnaissance on targets. Closing a company’s cyber skills gap is always possible, but it requires work. Company leadership must promote a culture of cyber awareness. Compliance must be rewarded, and good data governance must be ingrained in how people do things at all levels.

Hartvigsen: 2025 is going to be a very active year for cyber security practitioners. 2024 gave us a taste of the future technological innovations that will fuel cyber exploitation, espionage and disruption. Of course, one example is AI, which is poised to rapidly mature offensive and defensive tactics and techniques. AI will enable financially motivated criminal groups to design and field high quality malware that is more advanced than many actors would have been capable of developing on their own. Additionally, AI will make that malware quicker, with a higher degree of success – decreasing the cost of entry for extortion groups. Whether an organisation is a small business, medium-sized company or a Fortune 100 corporation, its cyber security strategy for 2025 should be anticipating and countering the foreseeable challenges that will arise. Organisations will be better positioned to do so with a skilled workforce that is up to date on training.

Ridgway: The cyber threat landscape is expected to evolve with increasing complexity and frequency of attacks. Emerging technologies such as AI, the internet of things and cloud infrastructure will introduce new vulnerabilities. While closing the cyber skills gap remains a challenge, ongoing efforts in education, training and industry collaboration provide a pathway to building resilient digital operations. Companies must remain vigilant and proactive in their cyber security strategies to adapt to the ever changing threat environment.

 

Jonathan Adessky is an associate in McCarthy Tetrault’s Business Law Group. He is also an active member in the firm’s national Technology Group and Cyber/Data Group. His practice focuses on IT outsourcing, privacy compliance and incident response, e-commerce regulatory and transactional matters, and private M&A. He can be contacted on +1 (514) 397 4261 or by email: atjadessky@mccarthy.ca.

William E. Ridgway is co-head of Skadden’s global cyber security and data privacy practice and a member of the litigation group. He is a former federal prosecutor with extensive trial and investigations experience who advises companies on their most sensitive cyber security, data privacy and white-collar matters. He can be contacted on +1 (312) 407 0449 or by email: william.ridgway@skadden.com.

Daron Hartvigsen is a managing director with StoneTurn and a cyber threat response and pursuit expert with nearly 30 years of related experience in commercial, US intelligence, counterintelligence and law enforcement. He currently helps lead StoneTurn’s cyber security practice and delivers solutions for clients in the financial services, healthcare, insurance, privacy, social media and manufacturing industries. He has recent experience with major social media services, content delivery platforms, virtual asset service providers and other emerging technology ecosystems. He can be contacted on +1 (202) 609 7847 or by email: dhartvigsen@stoneturn.com.

© Financier Worldwide

THE PANELLISTS

 

Jonathan Adessky

McCarthy Tetrault

 

William E. Ridgway

Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

 

Daron Hartvigsen

StoneTurn

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.