Businesses aren’t shy about investing in cybersecurity, but are organizations getting the maximum return on those investments? Too often, businesses focus their spending on technology and neglect to use hiring—and especially training—practices that would bring real value to the people responsible for deploying and managing that technology, and, ultimately, setting the company’s cybersecurity posture.
Part of the problem, of course, is the lack of talented cybersecurity professionals to invest in. The talent gap in cybersecurity, across all sectors, is well-known. Recent research by the labor analytics firm Emsi found that the United States has less than half the cybersecurity candidates that organizations need to fill their ever-growing demand.
According to a demand/supply heat map by CyberSeek, a project funded by the National Initiative for Cybersecurity Education (NICE), the United States began December 2020 with more than 520,000 unfilled cybersecurity jobs—in a field where only about 940,000 were employed.
The shortage of personnel is felt acutely. In a recent survey by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations.
The importance of good actors
Technology tools – whether traditional antivirus software, firewalls, automated detection systems or vulnerability scanners (among others)—play an essential role in protecting networks and data. But those tools have limits, and the investment will not realize unless it can be properly managed by teams that are well-trained.
Faced with a threat landscape that is constantly growing and morphing to capitalize on new, more sophisticated attack techniques—and amid the reality of some newly limited budgets—it’s critical for organizations to take a hard look at the comparative ROI between investing in people vs. technology.
When examined side-by-side, the negligence of investing in the latter (technology) without squaring it with the former (people) becomes clear. Cybercriminals have access to technology too, but the increasing costs of data breaches, as noted in the latest annual report from the Ponemon Institute and IBM, is also driven by the increasing skills and sophistication of attackers. The “bad actors” are getting better at exploiting the attack surface while the skills gap continues to widen, leaving businesses exposed.
Companies need to counter this proliferation of sophisticated “bad actors” with bigger and better-skilled teams of “good actors”: skilled cybersecurity people who are able to adjust and react to shifting attack vectors and techniques.
Investing in cyber professionals, as opposed to just buying the latest technology, allows businesses to achieve a larger scope of cyber defense usage over time as security teams improve, while also allowing for flexibility to achieve operational efficacy. By contrast, technologies lack the human advantage while requiring continuous new investment and inflexible upgrades that aren’t compatible with organizational needs over time.
Develop the talent you have (but might not yet recognize)
Investing more in people is an obvious answer to improving enterprise cybersecurity, but technology investments can soon run up against the well-established shortage of skilled cyber professionals, particularly if companies are looking for them to suddenly appear out of universities or other educational tracks.
While organizations such as NICE have established programs to promote cybersecurity education, companies can help fill the gap in their cyber workforces by finding and training cyber talent from within their own ranks or from other fields. In fact, effective, hands-on training is essential regardless of where cyber personnel come from.
Reports from the likes of CSIS, the professional association ISACA and the Commerce and Homeland Security departments (to name a few) have found that employers increasingly have concerns over how well educational programs are preparing students to actually meet an organization’s cybersecurity needs.
What’s missing, in most cases, is hands-on experience, which employers rate the most important quality for new hires, according to studies such as the recent joint research project by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).
Emsi’s report suggested an approach of “build, don’t buy,” saying that organizations should focus on upskilling employees, rather than spending most of their time advertising job openings that attract unsuitable candidates from IT fields.
In addition to people already in the IT field, employees in areas such as business operations and finance are often fairly deep pools of cyber talent and should not be overlooked when building security teams. Cybersecurity jobs tend to pay well compared to jobs in other departments and can offer solid career paths, which can help in attracting people from other areas of a company.
No matter where cybersecurity personnel come from, effective cyber upskilling programs, in which students or employees work on realistic challenges that accurately reflect what they’ll deal with on the job, are essential to security. In addition to teaching technical skills, these programs also can identify and develop the soft skills—such as teamwork and adaptability—that organizations increasingly say are vital to security operations.
Combined with recruitment programs that emphasize real-world experience, cyber upskilling programs based on real-world scenarios can significantly help companies give cyber pros the skills they need—and help close the cyber talent gap.