The critical shortage of cybersecurity talent, which has topped surveys of IT challenges for years, shows no signs of ending anytime soon — leading to questions about how organizations can fully protect themselves from threats and breaches. In fact, thanks to a continuing global surge in hiring demand, the cybersecurity skills gap has actually widened over the past year, leading to a shortfall of over a half-million workers just in the U.S. and over 4 million globally, according to the 2019 (ISC2) Cybersecurity Workforce Study. A whopping 65 percent of organizations report a shortage of cybersecurity staff, while a lack of skilled/experienced cybersecurity personnel is the top job concern among respondents (36 percent).
“It is really bad out there,” said Justin Harvey, who leads Accenture’s Incident Response business globally. “The big consulting firms and tech giants can pay the top salary and benefits, but after that, everyone is desperate for resources. It’s a continuing cycle where smaller companies just don’t have the spend and the reach necessary to retain that talent.”
In 2018, Booz Allen Hamilton published a study, Company Boards are Demanding Future-Proof Cybersecurity Talent, which found that 57 percent believe hiring top cyber talent will only become more difficult over the next five years. This lack of talent is causing these organizations to make short-term staffing fixes to protect their business.
“A lot of what we found in that study still holds true, including the need to broaden the talent pool to target a wider population of candidates beyond those with a computer or technology background,” says Anil Markose, senior vice president at Booz Allen Hamilton. “What if you could hire people who are 60 percent qualified and train them on the rest?”
Chief Information Security Officers (CISOs), however, who are often on the front lines of dealing with the cybersecurity skills gap, often need qualified, experienced talent that can hit the ground running and be effective quickly. John Germain, CISO of Duck Creek Technologies, says the cybersecurity skills gap is top-of-mind among the tight-knit group of CISOs in the area.
[ Related: 7 mobile security threats that may catch you by surprise ]
“We all struggle to find the right talent and are often swapping talent between our companies,” Germain says. “It’s a challenge to invest in mentoring and training. I hate to say that because we really want to invest in folks and build good security pros, but sometimes we just don’t have the time. We fight over the people with experience.”
Keeping highly experienced cybersecurity talent happy is one of the biggest challenges facing leadership, adds Sundeep Nehra, partner and cybersecurity leader at EY. “Every CISO needs to be looking at staying competitive in retaining the talent they have and creating a big-picture purpose and career trajectory for employees, to show they have a future with the company,” he said.
7 ways to address the cybersecurity skills gap ASAP
Over the long haul, government intervention, public-private partnerships and an integrated industry effort may be needed to address challenges in filling cybersecurity positions, training candidates and narrowing the skills gap. Over the short- and medium-term, a multi-pronged approach is the best way to tackle this thorny issue, according to the experts. These are some top suggestions:
1. Focus on robust talent sourcing
“No matter what you do you will always need some security people in your organization,” said Harvey. “You can’t outsource responsibility for security and it’s never as simple as saying, ‘Let’s get a great headhunter.’” That means developing a robust talent sourcing effort, whether it’s through a local university, the military or other channels. “Then, you have to be able to train and retain your talent,” he added.
2. Help employees upskill into new cybersecurity careers
A strong focus on retention is key, with competitive compensation and benefits, said Dr. Mary Kay Vona, principal at EY’s People Advisory Services. That goes not simply for employees hired directly into cybersecurity, but upskilling those who can see cybersecurity as a viable career path, in the same way other industries have transformed when they needed to transition a workforce into a different area.
“Take telecom, where there aren’t a lot of people climbing poles anymore, or the power utilities industry, where there aren’t meter readers anymore,” she says. As a short-term fix to the skills shortage, Vona said, cybersecurity organizations can help people move into new careers through relatively minimal training and certifications.
3. Consider managed services for blended staffing
There is no doubt that most organizations cannot keep up with an increasingly vast number of threats and attacks. Without being easily able to fully augment staff, outsourcing some roles through managed services may be the answer. “The operations side is most easily outsourced, so as a CISO I could contract those roles out as opposed to having my own operations staff,” said Garmain. “Of course, then resources are still needed and I would need to tap people for other, more business-intimate roles, including architecture and governance/risk/compliance.”
4. Recognize that some things can and must be automated
The opportunity to use artificial intelligence (AI) and machine learning-driven automation is more readily available to cybersecurity organizations than it was a couple of years ago, with better use cases and applications said Markose. “A great example is Tier 1 activity in security operations,” he said. “Today’s data is so rich that no human can really process so much to make intelligent decisions, so automation offers a great opportunity to reduce the amount of human horsepower.” Organizations can move straight into automation for lower-end, routine tasks, he explains, where AI-driven automation can learn from itself ̶ such as what alerts are highest priority.
5. Consider treating cybersecurity a trade
Hands-on learning is essential in cybersecurity, said Germain: “What if we treat this profession, especially in the beginning, as more of a trade that provides structured, sponsored internships that talent could jump into after a couple of years of junior college?” Just like a woodworker or steelworker, cybersecurity interns could work hands-on with professionals in the industry to gain experience, he explained. “Then you would be ready and more valuable to companies to take on security operations roles,” he said.
6. Create literacy around cybersecurity throughout the organization
In cybersecurity, there is a hyper-innovation cycle in which new attacks emerge every two to three months, said Markose. “The concept that someone can learn this in college and remain relevant is harder and harder,” he said. “Now, someone in the trenches for six months can be as equipped as someone with a formal 4-year education.”
The right ongoing training and development is essential, with some organizations offering rotations in which talent comes into cybersecurity for a couple of years and then move out into other areas of the business such as risk. “This model creates literacy around cybersecurity across the organization,” Markose added.
7. Work diligently on diversity in cybersecurity
Diversity may not yet be easy to come by in cybersecurity staffing, but it will grow in the years to come if organizations begin at a grass-roots level, said Harvey. “You have to be a little crafty,” he explained. “Think through your hiring strategy and do your research into programs such as the Aspen Institute, which has done wonders with their diversity technology programs, internships and fellowships,” he said, adding that he also advises organizations to step in as early as possible. “Get them while they’re young ̶ not just college seniors but even freshman and high school students,” he said. “Sponsor those capture-the-flag and STEM events and get the word out that your organization is looking for those types of individuals.”
As cybersecurity skills gap grows, optimism remains
While the cybersecurity skills gap is challenging, experts are optimistic that they can address the problem in order to keep organizations safe.
“I am bullish times 10,” added Dr. Vona. “I haven’t been this excited about a career path since the proliferation of ERP.” There are new career models and alternative paths to support moves into cybersecurity, while today’s talent feels like it has a clear purpose in protecting customers. “These are candidates that have a positive view of the industry as a career path.”
However, success in narrowing the cybersecurity skills gap doesn’t simply throwing more humans at it, said Markose. “This is a problem that is growing at an exponentially fast rate,” he said. “With the amount of data coming into the cloud and technology emerging, this just can’t be addressed in the same way it was two decades ago.” Organizations must be ready to disrupt and adopt different options, he said. “Those that are just throwing money at the problem will be outspent and outrun.”
That may mean investing in certain cybersecurity roles and outsourcing or automating others. “If I were a CISO, I would be invested in finding a few superstars and putting my eggs in that high-end basket,” said Harvey. “Then I would rely on managed services to hire and retain other talent and draft off that.”
But while automation and outsourcing provide relief for certain jobs, other experts insist the future is bright for organizations willing to widen the net for cybersecurity candidates. “This industry offers options for so many of those working in risk, business, legal, compliance, as well as technology,” said Nehra. “We don’t talk about the IT shortage anymore like we did 20 years ago ̶ the same thing will happen to cybersecurity.”