As many organizations prepare for long-term remote work, cybersecurity is becoming an even greater concern. Cybersecurity professionals will continue to be at a heightened demand and there just are not enough candidates to fill the required roles. In fact, some estimate that by 2021 there will be 3.5 million unfilled cybersecurity positions.
Compounding this scenario, cybersecurity is bound to plague organizations much more as time goes on, leaving many teams lacking key cybersecurity personnel to detect and remediate risks. While organizations have been trying to plug the cybersecurity skills gap, few have succeeded.
This is in part, thanks to a rapidly changing industry, and in part due to the lack of qualified cybersecurity talent. With a shortage of trained cybersecurity professionals, many security employees are left tasked with traditional administrative duties aimed at keeping the lights on more than protecting the organization. But does focusing the time and energy of your security employees on standard IT work alone put your organization at greater risk?
A recent study of cybersecurity professionals by Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) found that the skills gap in cybersecurity has widened over the past few years. Approximately 70% of organizations have been impacted by the cybersecurity skills gap. On top of that, 64% believe their organizations could be doing more to address cybersecurity challenges.
This trend was also underscored in the 2019 Cybersecurity Workforce study which revealed that the industry faces a massive shortage of skilled cybersecurity professionals and that hiring demand continues to surge. The report identified that organizations would need an additional 4 million cybersecurity professionals as businesses combat a wide range of external and internal threats.
Additionally, with the COVID-19 pandemic accelerating the pace of digital transformation, organizations’ investments in technologies such as artificial intelligence (AI), machine learning (ML), and automation have also increased significantly. The cost of cybercrime for organizations is much higher than ever before. Research suggests the impact of cybercrime could cost businesses $6 trillion by 2021. These costs are not just limited to financial costs. Loss of reputation and trustworthiness has far longer-term implications than immediate financial repercussions.
Worse than this, factors such as extended remote work, company downsizing, and budget cuts have put additional responsibilities on the shoulders of both cybersecurity professionals and the average employee. How can companies plagued by the consequences of the talent shortage ensure their employees are trained to identify and report a phishing email so that it does not become an additional burden for the cybersecurity team to handle?
Organizational Challenges in Evaluating Talent
One recent survey found that 73% of respondents had experienced at least one intrusion or breach over the past year that can directly be attributed to the cybersecurity skills shortage. In fact, over the past four years, organizations have shown trivial improvement in the cybersecurity skills gap. This means, that in addition to increased vulnerability to cyber-attacks and security breaches, existing cybersecurity professionals are often overworked. Furthermore, the lack of senior employee bandwidth implies that organizations must spend more time hiring and training junior employees instead of focusing on developing cybersecurity competitiveness.
The skills gap is also compounded by the fact that there is a mismatch in organizations’ legitimate needs and the desired skills outlined in job descriptions. Analysts also believe there are some challenges when evaluating potential cybersecurity talent for the changing landscape and knowledge that is required.
So, what can organizations do to close the cybersecurity skills gap?
Decoding the Cybersecurity Skills Gap
We have had a cybersecurity gap for a long time and that is not going to get any easier. It is probably not as dire as the vendor press want to make it seem, where we are running around without any protection. It is really a math problem.
W = quantity of threats an organization is experiencing each week
X = the quantity of minutes, or hours, it takes to review and identify a potential phish, or any other form of threatW * X = Quantity of resources required to mitigate risk
Y = Quantity of staff you have available
Z = Minutes available for staff to identify and remediate threats in each weekY * Z = Quantity of resource minutes your organization has available
(W * X) / (Y * Z) = Total quantity of potential threats your staff has available.
And, because the quantity of attacks has continued to increase, the likeliness of your staff being able to review everything diminishes. The result to an organization is that the likelihood of an incident turning into a breach increases dramatically. So, what can organizations do to improve the risk mitigation strategy?
The only lever you can pull, without the ability to increase staff, is to automate as much of that workflow as possible. This includes reducing the amount of time it takes to complete remediation and response related to any given threat. This can be done by increasing the tooling to make current employees more efficient. Even with fewer staff members, or less ability to hire fresh staff during an economic downtown, improving the efficiency of staff through best-of-breed tools becomes a mechanism for any organization to get a grip on this problem.
Building the Business Case for Cybersecurity
While the C-suite acknowledges the importance of cybersecurity skills, there is a lack of urgency in the way most leaders approach cybersecurity hiring or skills development.
According to ISACA, most organizations experience delays of half a year when hiring cybersecurity talent simply because it is becoming more difficult to find the right people with the right skills. But what if it becomes less about finding the right people with the right skills and more about empowering end users who sit within your physical or virtual offices to become a part of bridging this gap?
Creating a culture around proactive cybersecurity is important, allowing all employees to become part of the solution. One option is taking the time to continuously educate and train employees, engaging them through security awareness training, virtual lunch and learns, or other creative conversations. This opens the opportunity for them to become part of the bigger conversation.
Fortunately, more end user-related tools are also becoming available to help support IT security teams. Whether it is allowing users to report phish or providing them with visual indicators of risk as they engage through email or across the web, these tools can be valuable reinforcements to your security teams.
When it comes to cybersecurity, everyone is a target. But everyone can also become part of prevention strategies and solutions. If you are looking for a skilled cybersecurity specialist, you may be able to build one right among your current team.
So, there you have it. The impact of the cybersecurity skills gap is apparent, but there are long-term ways to bridge the gap.
Learn more about the tools and training you can provide to support your company’s end users, not only to close the looming skills gap, but also to enable your end users to become a proactive member of your cybersecurity team.