Welcome to this week’s blog. We’re getting close to the end of the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience.
Coming in at number four on the list is “Lack of skilled cybersecurity professionals.”
I’m a little surprised this wasn’t number one on our list, but organizations have adapted to alleviate this constraint.
Understanding the Cybersecurity Skills Shortage
The cybersecurity skills shortage is nothing new, but it was exacerbated by the pandemic, which accelerated digital transformation, expanded attack surfaces, and increased security. According to the latest statistics from (ISC)², there will be approximately 1.8 million unfilled cybersecurity jobs by 2022. Even though that is a significant drop compared to the 3.5 million cybersecurity workforce shortage in 2021, it still leaves a substantial gap in the market.
Why the cybersecurity skills gap exists – and persists
I’m always in awe when I watch SOC Analysts, Threat Hunters, and Reverse Engineers work. There’s a lot of discipline involved in what they do, taking a specific mindset.
According to Gartner, there is a persistent cybersecurity skills shortage because the cybersecurity industry covers several different disciplines, ranging from secure code practices and full-stack knowledge of IT infrastructure to regulatory and legal compliance.
Others say it reflects skills shortages across the broader IT market. However, the growing size and intensity of cyber-attacks mean that demand for cybersecurity professionals has grown much faster than in other sectors of the IT job market. It’s challenging to find and recruit multidisciplinary IT staff in the ﬁrst place, so finding someone who has the additional focus on security is even more challenging.
Working in cybersecurity requires an extensive range of soft and technical skills and a suitable personality for the job. Despite the massive demand for cyber security jobs, IT candidates are less inclined to pursue careers because of the stress involved.
The shortage of cybersecurity skills lies within this tangled web of requirements: to become the person who can protect organizations from cyber attacks, you need many years’ worth of applied experience far beyond any formal education.
In speaking with colleagues, successful cybersecurity candidates today must first be a general security expert who has a good grasp of physical and technical cybersecurity issues. You also need at minimum one or two specific domains in deep IT expertise with a grasp on the evolution of technology and an understanding of how organizations and their people use technology to achieve their goals.
Taking a quick look at job reqs, most companies hiring an entry-level SOC analyst are looking for someone with:
- 3 to 5 years or more of information security-related experience.
- Technical expertise in IT technology: Cybersecurity, cloud computing, networking, and software development
- Experience-based familiarity with the auditing discipline of information security.
- Knowledge of security and regulatory compliance frameworks: PCI DSS, SOC, NIST, HIPAA, GDPR, etc.
- Holds the CISA or other information security certifications
I came across an old stat on cybersecurityventures.com that said only 3 Percent Of US Bachelor’s Degree Grads Have Cybersecurity Related Skills. If more students don’t enroll to get the necessary skills, who knows if we’ll ever catch up.
Dealing with the Problem
Forget About It
Some organizations still view cybersecurity as a nice, bolt-on process that isn’t critical to their business. Cyber attacks are often included in cost-cutting exercises even during tough economic times despite the growing intensity and frequency of cyberattacks. Thus, the first (and popular) approach to dealing with unfillable cybersecurity positions ignores the problem.
Sadly, research has shown that inadequate cybersecurity resources are often seen as a significant cause of cybersecurity incidents. With the increasing intensity and impact of data breaches and other cyberattacks, it’s not a strategy anyone in their right mind should follow.
Hiring the perfect security professional might make the skills gap feel more significant for many organizations. An ideal approach might be to find and nurture the right talent.
Don’t underestimate culture fit as well. Someone that checks all of the experience boxes with hands-on experience might look great on paper but might not fit in with the rest of the team. You can always teach people new subjects, but interpersonal-skills is a trait that should not be overlooked.
Organizations should figure out their ideal profile, work on their must-haves and desirables, and find people who blend in well with the team. Then, nurture this talent over the long-term with training and mentorship and enable them to gain experience and grow.
Share the Responsibility
Many organizations believe that the security department is solely responsible for security, and that’s true - to an extent. As a business leader, your problem isn’t a lack of awareness of threats but a lack of resources to help get secure. Organizations with security personnel shortages need to make the best possible use of their existing resources to help relieve security teams’ burdens.
A sustainable security culture demands that everyone be all in, which means that everyone must be aware of security risks and take steps to mitigate those risks. Everyone plays a part in the company’s security strategy and security culture, from executives down to interns. Everyone has a role to play and contributes to its success.
Adopting a security-first mindset and ingraining cybersecurity methodologies into your business strategy can help achieve this “all in” mentality. Ensuring that your security objectives are clear and concise will help people understand what they should focus their attention on. Talk about the importance of security at the highest levels, not just from titles like CISO, CSO, etc., but also other executives at every company level.
According to Security Week, the so-called ‘great resignation’ currently upending the US labor market is starting to affect cybersecurity programs, with a growing number of senior leaders opting for early retirement and mid-level managers leaving in droves for less stressful, fully remote work opportunities.
To retain cybersecurity talent while attracting new talent, organizations must focus on providing the right technology, efficient workflows, effective management, and strong executive sponsorship for cybersecurity. This improves cybersecurity and reduces unnecessary workloads, frustrations, stresses, and ultimately burnouts for cybersecurity teams.
It’s definitely in an organization’s best interest to invest some time and effort into caring for your cybersecurity team's working conditions, organizational structure, and general welfare.
With the right security tools, such as a threat intelligence management or XDR solution, organizations can automate elements of their cybersecurity role and responsibilities until they can hire human talent to fill those roles.
While there’s no replacement for human expertise, automation and machine learning can provide many benefits, including:
Improving efficiencies by automating manual security processes and protocols might seem daunting
Improving detection and response capabilities
Helping to retain and recruit IT and cybersecurity workers by preventing burnout
The Bottom Line
There isn’t any single solution to the cybersecurity skills shortage. There will always be too few qualified professionals to fill every job opening at any given time. However, organizations can begin by identifying their current skillset and then adjusting their requirements to determine which skills they need to expand or enhance to fill those gaps appropriately.
As always, thanks for reading. Join me next time as I look at number three on our list.
In the meantime, download our Cybersecurity Insights 2022 report or scroll through below for direct links to the other blogs in this series.
Topics:Cyber Threat Intelligence