What can we do to reverse the cybersecurity skills shortage?
An ever widening cybersecurity skills gap is making comprehensive cyber security protection – based on a combination of the latest tools and internal expertise – unaffordable for many organizations.
“This issue isn’t exactly a skills gap, but more specifically a skills shortage, and it’s reflected at every stage – from entry level positions all the way up to the C-suite,” Bharat Mistry, Principal Security Strategist at Trend Micro, told Help Net Security.
The reasons for the shortage are many: under investment in education and training, the cybersecurity industry’s inability to market itself as a diverse place to work, technologies evolving faster than training and education programmes, the volume of cyber threats escalating at an unprecedented rate, the gender gap, and so forth.
And the shortage is not just impacting one sector – businesses around the world are struggling to find, attract and retain security talent as demand is rising and the talent pool is shrinking.
“Chronic under-investment in cyber security by organisations has led to fewer professionals acquiring the relevant skills. Currently only 32% of organizations invest in adequate training in IT security. To combat the increasing skills shortage, governments and businesses in both the public and private sector need to look first at increasing investment in these programs, to make them widely available to all,” he noted.
Having a strong pipeline of talent coming through is vital to help organizations and individuals protect themselves.
How do you feed that pipeline, though?
“It’s up to governments to bring cyber security into the classroom at every level of education, offering cyber security training as part of teacher training programmes, ensuring that students are equipped with the relevant skills and understanding of cyber security long before they enter the workforce,” Mistry opined.
But theoretical training is not enough, because being an effective cyber security specialist means being able to solve problems in a dynamic environment.
“Additionally, governments should look to incentivise organizations into hiring more cybersecurity professionals by backing school leaver apprenticeship programmes. These programmes will be essential in opening cyber security training up to a more diverse and wider range of young people. By providing students with on the job training and education, these schemes will allow for another point of entry into the cyber security industry, without the burden of student loans that comes with higher education,” he added.
In general, though, the cybersecurity industry has a serious image problem and currently fails to make careers in cybersecurity seem an interesting and viable option for young professionals.
Also, the cyber security skills shortage is also being exacerbated by a big gender gap: currently only one fifth of the global cyber security workforce are women.
According to Mistry, the sector should profile a full range of experts to show that it is open to all, and ensure it reaches out to all parts of the community to encourage a more diverse talent base and avoid diminishing numbers signing on to study the subject.
“There are already several great networks such as the UK’s Women in Technology network, which is dedicated to assisting women with the relevant skills to search for career opportunities in technology,” he noted.
“However, building awareness and fostering an interest in cyber security, particularly in women, should not be something that is left to specialist organizations alone. If these job options aren’t elevated in early education, then we have already failed – by the time students reach the workplace it is too late to spark an interest in the profession.”
What can businesses do?
In the short term, organizations should invest in robust training programs that are not exclusively product-focused or only outline a framework used by that specific organization.
Unfortunately, too many do just that and, according to Mistry, this approach is not sustainable as it means the depth of expertise in cyber security professionals across the industry is weakened.
“What’s needed is agnostic training, and this should not be considered a company-wide or even a sector-wide issue anymore – but a global one that must be addressed as such,” he noted.
In the long term, it may become increasingly necessary for organisations to rely on technology rather than human resources to combat the skills shortage. Solutions based on artificial intelligence (AI) can replace humans where necessary and preferred, freeing cybersecurity professional up to concentrate on specialist tasks that machines cannot do.
In general, though, cybersecurity has to be considered a collective responsibility within an organization.
“With technology now underpinning business transformation, the growing technology skills shortage means organizations must have a strategy in place to access the expertise needed, and those that don’t will be increasingly putting themselves at risk,” he pointed out.
“Ensuring there is a strong awareness of the cyber threat landscape at board level will be essential when looking to make the relevant hires for cyber security experts. Additionally, where possible, CISOs should look at outsourcing and automating process. By using managed security services or delegating certain operations to third parties can free up resources and reduce the number of necessary hires.”