Will vacancies create security voids?
Automation may be shortening the Mean Time to Response (MTTR) when it comes to detecting and responding to attacks, but there is still no substitute for the human in the kill chain. Playbooks need to be constructed by security professionals, triggers identified, and interaction points inserted to allow security analysts to corroborate events, and SOCs manned by security teams, meaning those skillsets are still required despite the technological advances of recent years.
The biggest skill gaps are predominantly in these threat detection and mitigation areas, namely incident management, investigation and digital forensics, closely followed by assurance, audits, compliance and testing. The bulk of vacancies are occurring in middle management and senior roles that require three or more years’ experience and, with the Great Resignation now in full swing, the danger is we are heading for a significant brain drain that could further compound the shortage.
What impact might this skills shortage have on the effectiveness of security operations? Could it lead to a backwards slide when it comes to cyber resilience? Alarmingly, WEF’s Global Cybersecurity Outlook 2022 revealed that almost 60 percent of those questioned said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team,” suggesting that responsiveness will be sacrificed. This will lead to businesses becoming more exposed and force growth ambitions to be curtailed.
It’s a situation set to worsen, with another DCMS report predicting an annual shortfall of 10,000 cybersecurity professionals in the UK because there isn’t sufficient new talent entering the market. Only 7,500 enter the profession each year, 4,000 of them graduates, with the rest comprising of those who have upskilled, changed career or come through apprenticeships. At the same time, while between 4,000 and 7,000 people exit the cybersecurity workforce, either because they retire or go work in other sectors. Yet 17,500 staff are needed every year, with demand growing on average 14 percent per year (over the course of the last five years). All of which means the skills shortage is cumulative and will intensify.
Yet there seems very little awareness of the precariousness of this situation out in the real world. The WEF report found that business executives were less aware of the implications of the shortage than their security counterparts, suggesting there remains a disconnect at board level. Failing to realize the seriousness of the situation could see recruitment drives and retention strategies not given priority and see those hiring misjudge the market – and there’s already evidence of this.
Many current job vacancies have unrealistic requirements, as shown by the example of the advertisement for a CISO with penetration testing expertise or a request for a technical team member conversant in GRC standards. Obviously, there are some businesses attempting to hire one person to fulfil more than one job remit. But given that the scales are currently tipped in the job seeker’s favor, these tactics will do little to win over potential candidates.
Job descriptions are symptomatic of a broader issue with cybersecurity in that the sector has grown so organically that there are no clearly mapped career pathways. Recognizing this, the UK Cyber Security Council has been tasked with devising a Career Pathways Framework to make it easier for employers to identify the specific cyber skills they need, create clearer information on career pathways, and prevent any unnecessary barriers to entry or progression.
Currently under consultation until 20 March, the proposals would see specific cyber job titles linked to existing qualifications and certifications, potentially paving the way for “job descriptions and suggested minimum qualifications requirements for typical roles,” as called for by the DCMS in its cyber skills report. The proposals also call for a Register of Practitioners, like the one for medical and legal professions, to recognize those who are ethical, suitably qualified or senior. Such steps could help stem the exodus from the industry caused by job creep, dissatisfaction, and burnout by providing professionals with a clear path of progression and recognition of their status.
But what can the business do now to help alleviate the skills shortage? There are several ways to improve recruitment and retention.
- Invest in your staff. Provide them with training to help them increase their knowledge and skills. Consider introducing incentive programs so that they don’t want to leave.
- Cross train and transition. Enable IT staff to gain cybersecurity skills or to train and transition into specialist cyber roles.
- Provide a path of progression. Develop a clear set of pathways for existing cyber professionals that shows how they can move up within the business.
- Be flexible. When recruiting, ensure the skillsets related to the job you are advertising for are realistic. Be aware of market dynamics not just in terms of salary but whether you need to offer perks such as remote working.
- Be open-minded. Around a third of those now in the profession entered via non-cyber related routes, so rather than looking purely at experience and certifications, explore ways to test for the skills you need such as analytical problem solving.
- Outsource for expertise. The pandemic saw many decide to move out of permanent roles into consultancy. 38 percent of businesses currently outsource cybersecurity compared to 57 percent in the public sector, making this a growth market that businesses can tap into.
While the cyber pathways initiative promises to bring some much needed transparency to the sector it is still some way off. Those organizations that don’t adapt to the growing skills shortage today risk more than missing out on valuable talent, as they could find themselves under resourced and their systems over exposed.