The cybersecurity skill gap is a growing problem in the IT industry. Simply, the skill shortage needs to be fixed in order to fight the growing cybersecurity threat landscape.
Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021. When cybersecurity jobs forecasts are unable to keep pace with the dramatic rise in cybercrime, which is predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, what can companies do to protect themselves? What is creating these jobs? Where is the talent coming from? There obviously needs to be some sort of long-term strategy to thin the skill gap.
“The increase in job openings are down to two main factors – an anticipated increase in the size of a cybersecurity workforce within the enterprise and secondly by an increase in the overall scope of responsibilities being handled by such staff ranging from threat and incident management through to risk management and security awareness and education,” said Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security, and risk management.
The growth in cyber attacks also has its reasons.
“In terms of the cybercrime growth, this is again fueled in part by the very rapid increase in valuable data which we create, share and store all of which in the wrong hands has the potential to be monetized,” said Durbin.
Unfortunately, as Durbin also pointed out, cybercrime is winning.
“Cybercrime is a growth business and in terms of maturity curve, is leading information and cyber security.”
Finding Cybersecurity Pros
Is it difficult to find cybersecurity professionals? How long is a piece of string? It all depends on how you source them.
“If an enterprise is adopting what I would term a traditional approach to sourcing then yes, it is becoming more difficult. However, this is a fast moving, exciting job opportunity area. For those businesses that are prepared to embrace the gig economy, offer flexible terms and recognize that for a great number of cybersecurity roles you do not actually need embedded technical skills but rather some of the more traditional soft and business skills then the market potential is there to meet not all but a greater proportion of demand than we might otherwise believe,” said Durbin.
Your company’s cybersecurity requirements are another factor.
“Different organizations are at different stages of maturity and it is misleading to believe that we are all lacking the same skills – certainly threat and incident management skills are in high demand but so too are cyber risk and forensic skills. The key here is for each enterprise to determine its skill requirements and to adopt an appropriate sourcing strategy to meet those demands. This may be met by hiring a full-time employee or by outsourcing to a third party or by hiring a contractor. Flexibility is the key to meeting the demands of the new cyber workforce,” said Durbin.
To sum up, yes, we need cybersecurity. Businesses need security professionals who can handle hands-on training of employees as well as have the certifications to land the job in the first place. Cyber security professionals should have the CompTIA as is typical of IT professionals, but there are also security certifications that will be necessary to prove to those less technical that you have the skill set needed. In fact, employers may need to put industry experience aside entirely. Also, some security professionals may not have gone to a four-year university.
“Anyone who is not taking cyber risks seriously is heading for a major fall,” said Ian Davin, CEO, HANDD Business Solutions, independent specialists in data protection with global headquarters in the UK.
Related: Setting Up Red And Blue Security Teams
It's All About Risk
The security market is a diverse one, but all market segments share a common goal which is as, as Davin pointed out, to offset risk. Logically, what is the first step in cybersecurity selection?
“Start off by defining risk, which might include legislation, fines, reputational loss, risk of losing IP and competitive advantage, and will be unique to each company,” said Davin, adding that, “whilst, the security market is a niche one, it is a very large niche.”
Davin, based on his professional experience, estimates that cybersecurity professionals are divided into four distinct categories, that solve the why, what, how and who aspects of cybersecurity implementation:
1. Why do you need cybersecurity? Five percent can define potential risks for companies. “It will be rare that you can find anyone who understands the why, what, how, who, when, where and why of cybersecurity,” said Davin.
2. What do you need cybersecurity for? “If you lived in a house that was in an area that was regularly burgled, you would probably need more protection and you would develop a policy to put the burglar alarm on when going out, lock the door and close and lock all the windows. The same is true in cybersecurity,” said Davin. 15 percent can create cybersecurity policies and implement them.
3. How do you implement cybersecurity? 65 percent are product or service providers. “You’ve defined the policy and decided you need to set the burglar alarm, but you don’t have one, you need to look the windows, but you don’t have any window locks. In cybersecurity, this might refer to the way you send data securely, or ascertain who has access to that data. You now have a shopping list and can begin the process of RFPs and tendering,” said Davin.
4. Who are you protecting against? The remaining 15 percent “understand the who, so for example pen testers wear their white hats to protect you from the hacker community; others raise end user awareness of the need for secure ways of working. More attention should be paid here,” said Davin.
Cybersecurity For All?
For many companies, specialized cybersecurity roles do not exist.
“It is fair to say that many businesses continue to rely on the IT team to provide cybersecurity back up,” said Durbin.
If a company lacks dedicated cybersecurity pros, what are the alternatives? Outsourcing etc. Does cybercrime prevention warrant full-time salaried positions?
“First, decide what you are lacking and what you need. Do you need someone to come and help shape your strategy and approach to cybersecurity, or do you need someone to fulfill the how? Yes, you can use external consultants and experts, but you still own the risk to your business, so you must have someone senior who understands and manages these risks. Everything else you can use third parties for, but you cannot outsource risk,” said Davin.
An insightful point, outsourcing risk is not possible as every company is responsible for securing its data. However, cybersecurity involves more than technical staff. All employees have a part to play, from the CEO on down. For instance, proper training and incident response requires careful handling from everyone throughout an organization.
“I look forward to the day when cybersecurity is a key part of everyone’s job – clearly we are always going to need some form of operational, day to day cybersecurity expertise but so much cybersecurity is now embedded in the way we conduct business that if we choose to rely on one separate team we really are missing the opportunity to enhance business-wide cybersecurity,” said Durbin.
If a company lacks dedicated cybersecurity pros, what are the alternatives? Outsourcing, security awareness training etc.
“Yes, all of these. Furthermore, we need to understand that we do not need to have our own dedicated cybersecurity staff. What is important is that we have access to the right skills at the right time – that may be at strategy definition through operational security implementation to breach response; knowing where the skillsets lie and how to get hold of them is more important than having the expertise on your own payroll,” said Durbin.
In conclusion, there are several options available when sourcing cybersecurity professionals, whether it is from the gig economy or in-house. That is not to say all other staff can relax. They must all be security aware and prevent human errors/ security lapses where possible.
In addition, cybercrime is a real threat and not media hype.
“Cybercrime is here to stay. It is globally organized crime and as such needs a coherent, consistent and methodical approach to combat it,” said Davin.
Is your company and its data secure and protected? Have you identified risk vectors? Is your cybersecurity policy robust and able to adapt to future cyber threats? These and other questions will be answered at your next management meeting. I’m crossing my fingers on your behalf, hoping that interdepartmental territorial displays (like those of the silverback gorilla) will not prevent an open and fruitful discussion.