As cybersecurity demands increase, the available pool of talent is not keeping up with the pace. And over the last few years, the already profound talent gap has continued to expand. According to the latest (ISC)² Cybersecurity Workforce Study, there are 2.7 million unfilled infosec positions worldwide. And it’s estimated that the cybersecurity workforce needs to grow 65 percent to meet global demand.
Given that cyberattacks are becoming more frequent and sophisticated, now isn’t an ideal time to be playing catch-up. Novel threats are constantly emerging, the threat landscape is growing and new technology is being released every day. What’s worse, only 14 percent of small businesses are prepared to defend themselves against a cyberattack. So security professionals are not only in short supply, but their role is more important than ever before.
So, how can we fix the cybersecurity skills gap? To begin with, we must understand what’s driving this talent shortage. It comes down to three factors: the evolution of technology and the threat landscape, the increasingly difficult demands of the job, and misguided hiring practices.
As new technology is developed, bad actors find new ways to exploit it and security experts will need to find new ways to defend against it. This is done via security fixes or by developing new security technology. This cycle has always been in place, but technology is changing faster than before, putting additional strain on security professionals.
When enterprises had simple, smaller infrastructures, security was fairly straight-forward, and the demand on IT and security teams was manageable. Now, companies large and small need a human-driven cybersecurity defense system that encompasses detection, prevention, and response.
The increased workload for security and IT teams is coupled with the constant pressure to keep up with new cyberthreats and learning how to use new security tools and techniques. Each time a new technology, threat, or defense strategy is developed, the entire security organization needs to take that into account.
For instance, businesses once needed security experts who understood firewalls and antivirus software, before turning to cloud-based engineers for assistance. Now, many businesses are looking for security personnel with distributed workforce experience in order to ensure their organization is secure. Today’s cybersecurity professionals need experience in data science, machine learning, and AI and the people who can fulfill those requirements are limited.
Beyond changes in the threat landscape, other environmental factors have made security practices more critical to a business’ survival. The first is evolving regulations around customer data. Any business holding customer data — which is every business — needs to meet certain compliance standards around privacy and security. These regulations are becoming increasingly strict, and businesses can receive hefty fines for failing to protect customer data.
How a business protects sensitive data can have reputational repercussions. A known breach that compromises customer information can result in lost business and that’s in addition to any legal ramifications a company could face if customer or employee data is stolen. In fact, the National Cyber Security Alliance reports that 60 percent of companies that experience a data breach go out of business within six months.
With all of these changes, a strong security posture has never been more important, and the demands placed on security and IT professionals has never been higher. Unfortunately, as security demands grow, so do security teams, and the pool of talent is quickly being depleted.
Beyond finding the right talent, companies are struggling to keep high-value employees around. According to a Ponemon Institute report, 65 percent of IT security operations staff said the stress of working in a security operations center (SOC) made them think about changing careers or quitting. Similarly, a Cybersecurity Ventures analysis found that 24 percent of Fortune 500 CISOs are in the job for just one year.
Cybersecurity departments are notoriously short-staffed, underfunded and face intense demands that create a very high-stress environment. A majority of CISOs report being moderately to tremendously stressed and only half of security professionals feel confident they can address all or most of the daily alerts coming in. And depending on how well company leadership understands the importance of and demands related to cybersecurity, they may not make security a priority in their budgets.
Because security professionals are in such high demand and they’re getting burned out quickly, large companies and cybersecurity organizations are often the ones able to recruit and retain security professionals, leaving SMBs in the dust. And the pandemic-induced reliance on remote work has only made the field more competitive, as geography is no longer a limiting factor when it comes to finding work. So small businesses are now forced to compete for talent on a global scale.
Though they can’t control the growing threat landscape, increasing regulations, or budget limitations, hiring managers aren’t exempt from blame when it comes to the cybersecurity talent gap. For too long, companies have created barriers to entry into the security field and set expectations that are so high, only a limited number of candidates can meet them.
Many companies only consider candidates with CISSP certifications, graduate degrees, developer skills and several years’ experience dealing with various cyber-defense techniques. But so many of these requirements aren’t necessary. For starters, most of the security technology and tools used today are relatively new, so no professional has more than a few years’ experience working with them.
A degree in a related field also shouldn’t be a mandatory requirement as cybersecurity is ultimately an interdisciplinary field. Yes, a familiarity with security technology will eventually be needed, but security also involves an understanding of human behavior, finance, risk, and various laws and regulations. It’s not uncommon for people to start in one of these fields and move into security, learning the technology and tools as they go. And yet, many managers don’t want to dedicate the time to train someone with little to no cyber experience, so they opt to pull from a smaller pool of candidates.
Unfortunately, the security industry also has a diversity problem. Roughly 85 percent of cybersecurity professionals are white and women only make up 25 percent of the workforce. Of that group of women, almost half are millennials. Companies not only have a responsibility to hire more diverse employees, but they need to start investing in targeted outreach to pull more women and minorities into the field. By opening the door to underrepresented individuals, companies can broaden the talent pool and increase the diversity of the ideas in the workplace — a win-win.
Organizations and hiring managers can’t dramatically increase the pool of talent, but there are a few things they can do to widen their search and start to close the talent gap, even marginally.
When hiring new talent, managers should think outside the box, whether that means training internal staff from other departments that show promise as security professionals or removing some of the stringent standards on applications when hiring externally.
Companies may also consider starting or investing in programs that get young people from underrepresented communities interested in cybersecurity as a potential career or funding scholarships for female and minority students earning a degree or certification in a related field. By encouraging more diverse individuals to join the industry, the pool of talent will expand significantly.
Finding more bodies to sit on security teams is a big ask, so it might be easier for companies to close the gap by shifting your teams’ priorities wherever possible. Make sure your top talent is focused on high-value initiatives like enhancing your security architecture and incident reports rather than mundane, repetitive tasks. This will lead to greater job satisfaction and, hopefully, longer tenure for your best employees.
Finally, depending on your business needs, you can remove the burden of building a security organization by outsourcing the work to an MSSP. These companies already have a robust staff of security professionals who can assist your teams or take over your security efforts entirely. Because they’re working in the field day in and day out, they will be up-to-date on the latest threats, security trends and tools, and they’ll bring that knowledge to your organization. They know how to build and manage an effective security tech stack and can help your organization become cyber resilient for a fraction of the cost of building an entire infosec team.
SolCyber is a modern MSSP that helps SMEs achieve cyber resiliency and gain the coverage of a Fortune 100 company without the massive price tag. We’ll handle everything from delivering foundational coverage to organizational security awareness training to 24/7/365 detection and response services.
Learn more about SolCyber’s offering and drop us a note to learn how we can help you protect your environment without competing for top talent.