Cyber skills shortage – true threat to safeguarding business
Date published: 19 May 2020
According to Info Security, Global IT security skills shortages have now surpassed four million. A truly staggering figure and yes, this gap has been well reported so may not come as a surprise to you. However, what’s concerning is that this gap is widening. Recent reports highlight 4.07million unfilled positions in IT security in comparison to 2.93million from the previous year. Organizations across the world are feeling the impact, with 65% reporting a shortage of cybersecurity employees and the number one concern for 36% is a lack of skilled or experienced security personnel. So what impact is this having on cybersecurity as a whole, and how can this challenge be tackled?
The scale of the problem
According to CISCO research, the cybersecurity industry is facing increasingly sophisticated threats and in recent years it has seen high-profile data breaches, determined threat actors and tactics that are quickly outpacing the ability of IT and security professionals. Eight out of 10 CEOs in the UK fear cyber-attacks and the skills shortage, with 75% worrying about the speed of change and sophistication of attacks. However, attackers are only part of the problem. We must remember that cybersecurity professionals are on the frontline protecting our networks and devices from risk and vulnerabilities, and their resources are depleting with the widening of the cybersecurity skills gap.
A recent study from ESG and ISSA confirmed that “the cybersecurity skills shortage is exacerbating the number of data breaches.” It also highlighted that the top two contributing factors to security incidents were a “lack of adequate training of non-technical employees” (31%) and a “lack of adequate cybersecurity staff” (22%). After all, technology and the products and systems utilized can only be as advanced as the humans controlling and designing them. If (or should we say when) there comes a time of increased risk, without the professionals to combat this, organizations can be compromised. You only have to look to the healthcare sector during the coronavirus pandemic as a key example of this.
Education as the answer?
Unfortunately, education in this area is lagging which is arguably a contributing factor. According to Forbes, “of the top 50 computer science programmes in the US, only 42% offers three or more information security-specific courses for undergraduates.” Dan Gurfinkel, security engineer manager at Facebook recently told Venture Beat that things could improve as educational institutes bolster their offering, however, it isn’t moving at the rate that the industry requires and many are searching for knowledge in a less formal manner. Research tells us that more than 80% of ethical hackers are self-taught, with less than 6% having learned hacking skills in a classroom. Plus, we must remember that this learning should be continuous – it has to keep up with the speed of change – so by the time that these programmes are developed, the need may have already changed.
Overcoming the challenge
IT leaders are now taking steps to eradicate this problem, reviewing how to distribute their cybersecurity budgets to fill the skills gap and are turning to next-generation firewalls and threat intelligence platforms and services to help fill the gap in the first instance. Additionally, businesses are focusing their efforts on attracting an elusive, diverse talent pool, with many eradicating their previous perceptions of what a typical candidate will, or should look like, to pave the way for the next generation of cybersecurity leaders. You don’t need unicorns who tick all of the boxes - you need talented, passionate individuals to be in your team. Titania has taken this approach for quite some time, with CSO Nicola Whiting leading by example, encouraging ‘diversity of thought’ to avoid groupthink mentality and to prevent cybersecurity from becoming an ‘exclusive’ sector in which only those who meet a certain criterion can operate. This means working closely with the HR function and allowing additional budgets for training, which may be welcomed by those who haven’t received formal training as mentioned above. Simultaneously, the industry also has room to change perceptions of a career within the cybersecurity industry and must demonstrate the value-add that these professionals truly bring.
A fighting chance for the future
We appreciate that this situation cannot be solved overnight. So, it’s critical that as an industry, we look to address how we give the next generation a fighting chance for the future. This may mean starting with automation whereby routine checks, fixes, as well as reports can be automated with software that can be relied upon, such as Titania Nipper. This will, in turn, lead to trust in autonomous mitigation solutions for routine fixes, freeing up skilled personnel to focus on the wider cyber threats and organizational vulnerabilities, avoiding alert fatigue simultaneously. Although it may not necessarily tackle the skills gap specifically, it will go a long way in alleviating the pressure, focusing on overall cyber hygiene whilst the situation is remediated.
Additionally, it’s imperative to recognize that cybersecurity is a team effort – it takes co-operation of many within a company to minimize risk and identify vulnerabilities and this should be led by the C-suite. Leaders have the power to grow talent within their own team if it is limited, so this too should also be a consideration when planning for the future. In the meantime, consider outsourcing cybersecurity strategy, working in partnership with those who have the resources to support your everyday cyber hygiene and also respond efficiently in times of crisis.
The evidence is clear – this is an ongoing issue, and the coronavirus pandemic has clearly highlighted vulnerabilities in cybersecurity infrastructure, particularly in the healthcare sector. If nothing else, it’s proved that the time is now to address the cyber skills shortage and act accordingly, working alongside your HR function to shape an approach that attracts and retains industry talent. If you do not have the skills in-house, consider the benefits of partnerships to help address your cybersecurity strategy; ones that can deliver on security practices to prevent vulnerabilities and keeping operations in peak performance as well as shaping a crisis strategy for when things go wrong. And finally, consider how ongoing education can help, keeping your personnel in-the-know with the latest changes and developments to help them remain on the front foot.
If you’re looking for additional educational resources for yourself and your team to support skills development, you can sign up to our upcoming events and webinars here>>>