Bridge the cybersecurity workforce gap. Discover how organizations seek assistance to bolster their digital defenses and talent pool. New cybersecurity breaches are happening all the time. And while it’s the big-name victims like Equifax or Adobe that make headlines, cybercriminals are targeting businesses of all sizes.
Experts think more needs to be done to bring diverse talent into the cybersecurity workforce. That could mean expanding the definition of a cybersecurity professional to include people with soft skills, such as curiosity and interest in technology.
1. They’re ill-equipped to deal with the threat landscape
Cyberattacks are on the rise and growing more sophisticated, especially in a year of geopolitical turbulence. For example, Russia’s war in Ukraine and wider geopolitical tensions are reshaping the threat landscape, increasing the risk of espionage, sabotage and destructive cyberattacks against companies with ties to those countries or with their allies. Attackers are also targeting supply chains, with manufacturing companies as a key target. And ransomware gangs are increasingly threatening to disrupt businesses’ operations unless they pay a ransom.
All these attacks require cybersecurity teams to be highly agile and up-to-date. Yet a growing shortage of cybersecurity professionals means that fewer and fewer of them are able to do so.
The problem is partly one of talent, but it’s also a mode of thinking that prevents cybersecurity teams from adapting to the rapidly changing threat landscape. CXOs need to change the way they think about hiring and the types of skills they look for in cybersecurity professionals.
For starters, they need to shift away from the idea that security professionals need to be experts in every aspect of an organization’s cybersecurity. Instead, they should focus on finding people who have a combination of hard skills and soft skills. A good candidate may have a strong interest in technology, an aptitude for learning coding languages, or a penchant for solving complex problems. But the most important attribute is an ability to think creatively and foresee potential threats that don’t yet exist.
Another way to open up the pool of candidates is to increase diversity, Stewart says. The cybersecurity industry is dominated by men and white people, and it’s time to address that. The industry should support initiatives that foster diversity and help women and minorities become more interested in cybersecurity careers, she adds.
It’s also worth considering leveraging automation to reduce the burden on cybersecurity teams. For instance, software-based tools can help automate repetitive and manual processes to free up cybersecurity team members to tackle the more challenging parts of their jobs. These tools can also help identify and remediate risks, thereby reducing the number of incidents that require human intervention.
2. They’re ill-equipped to respond to breaches
The threat landscape has been evolving and attackers have been more aggressive, making it harder for cybersecurity professionals to keep up. This is creating a demand-versus-supply gap that is impacting the ability to close gaps and bolster security protocols to protect business value.
It’s not just a question of whether companies will get attacked; it’s when. That means they need to be able to respond to a breach quickly and decisively. And to do that, they need the right talent in place.
But the world is currently lacking 3 million cybersecurity professionals, according to a 2022 study by (ISC)2. And while the take-up of cybersecurity as a qualification at formal education levels has been increasing, that’s still short of what the industry needs. In fact, it takes years to earn cybersecurity credentials and gain the practical work experience required to be successful. That’s a big part of the reason why many organizations are struggling to find the right talent.
A range of education, training and upskilling programs are working to address the issue. Some are geared toward specific groups, such as women or people of color. Others focus on specialized skills, such as incident response or forensic analysis. For example, Public Infrastructure Security Cyber Education Systems is helping local governments beef up their control systems through a collaboration with universities, and GuidePoint offers an apprenticeship program that gives students real-world experience by monitoring the networks of local government agencies in five cities.
Other efforts include focusing on in-house training programs that offer employees the opportunity to earn cybersecurity certifications while keeping them at work, and paying for part or all of their cost. And for some, it may make sense to outsource cybersecurity capabilities if building an in-house team isn’t feasible due to resourcing or other reasons.
One of the biggest challenges is that cybersecurity work requires a rare combination of skills, including foresight and creativity. And while those with this gift can be nurtured through a variety of tools and procedures, there’s no reliable way to transmit that level of skill at scale.
3. They’re ill-equipped to deal with the regulatory landscape
The cybersecurity industry is struggling to keep pace with the demand for workers. Despite some encouraging growth in the workforce over the past year, the number of open positions remains significant, according to a 2022 cybersecurity workforce study by (ISC)2, an international nonprofit that offers cybersecurity training and certification programs.
As cyberattacks become more sophisticated and widespread, companies are scrambling to fill the roles that will prevent them from being exploited. The lack of cybersecurity professionals is resulting in gaps between security team staffing and the needs of organizations, which can lead to poor decision making. The risk is even greater for midsize orgs that must work with partners to meet their business needs.
Those challenges are amplified by the fact that cybersecurity roles are changing rapidly. The average cybersecurity professional changes their job every three years, and it’s often difficult for orgs to find skilled replacements. The influx of new talent into the field has also made it harder for organizations to get the most value out of their cybersecurity investments.
In an effort to close the gap, a variety of education, training and up-skilling programs are helping to bring more people into the industry. One example is a program at the GuidePoint cybersecurity company, where veterans leaving the military can get hands-on experience and certifications that will help them land cybersecurity jobs. Another is a project called Public Infrastructure Security Cyber Education Systems, which lets students at five universities test their skills by monitoring real-time data from local government networks.
Other initiatives focus on improving the industry’s image, promoting the benefits of a career in cybersecurity, and broadening the candidate pool. For example, (ISC)2 has launched a diversity, equity and inclusion program to try to attract more women to the industry. And a few companies are trying to offer alternative career pathways for people that might not fit the traditional mold, such as offering monetary incentives to employees who complete certain types of cybersecurity work through crowdsourcing.
But a more comprehensive approach may be needed to address the issue. For example, more mature cybersecurity orgs should implement a model of “talent-to-value protection,” which prioritizes hiring or up-skilling security professionals that are well-suited to the specific risks they face. This model could reduce the number of people on the team that have to learn as they go, which will improve orgs’ ability to make sound decisions about their risk appetite.
4. They’re ill-equipped to manage growth
Cybersecurity is a critical part of every business today, but many companies are ill-equipped to manage the growth of their cybersecurity teams. As hackers get more sophisticated, securing systems and data becomes harder than ever. The global workforce gap for cybersecurity professionals is estimated to be 3.5 million jobs short of what it needs to be, according to Cyberseek.
This shortage of qualified workers means that businesses must be more selective when hiring cybersecurity staff. But this approach also creates a bottleneck in the growth of security teams, making it hard to meet new demands and increase security coverage. And when cybersecurity teams are stretched thin, they can’t stop breaches or sift through the data to detect threats and prioritize response.
In the US alone, there are currently 879,000 cybersecurity professionals working in the industry and 359,000 unfilled positions, according to a 2020 survey by (ISC)2. But this is far from an accurate picture of the actual demand for cybersecurity talent.
The problem is compounded by the fact that there are too few workers to replace those who retire or leave the field for other reasons. The stress of dealing with constant cybersecurity shortages is causing workers to burn out, and this is a serious problem that must be addressed.
Rather than relying on traditional solutions like recruitment incentives and worker bonuses, CXOs need to focus on building cybersecurity skills primarily in-house. This requires relaxing job requirements and allowing for on-the-job learning. Increasing diversity is another key goal, Stewart says. The pool of cybersecurity experts is largely white and male, and there are not enough women or people of color to fill the growing number of roles. CXOs need to prioritize outreach to underrepresented communities and provide educational resources that explain the wide variety of opportunities in cybersecurity.
The reality is that no matter how much a company invests in its cybersecurity team, the growing number of threats and lack of skilled workers will make it difficult to keep up. But with the stakes so high, organizations need to find innovative ways to address this challenge or they will continue to be vulnerable to data breaches and other cyber attacks that can cost them millions of dollars.