Cyber CEO: The Cybersecurity Skills Gap – How to Address it Now and in the Future

The cybersecurity skills gap has continued to be a problem – one that’s only gotten worse due to the pandemic and digital transformation that most organizations recently experienced. Drastic changes to business operations coupled with shrinking budgets mean in-house cybersecurity professionals are both difficult to come by and often too expensive to hire to develop comprehensive cybersecurity programs.

When (ISC)²  launched their Cybersecurity Workforce Study in 2020, the global cybersecurity workforce was 2.8 million people – while the demand for cybersecurity professionals was around 4.07 million. That’s a daunting gap to fill and it’s only getting bigger.

When faced with a problem this big, I like to deal with it one step at a time. When it comes to the cybersecurity skills shortage, there are short term and long term solutions we can take that will:

1. Comprehensively secure your enterprise against the growing attack surface and increasingly frequent and sophisticated cybercrime.
2. Build a capable cybersecurity workforce that will develop an industry where cybersecurity professionals can thrive, grow, and most importantly – be a part of a team that has the capacity to meet the threat landscape without being overworked, underfunded, or burning out.

The Long Term Cybersecurity Skills Shortage Solution

There are many steps we can take to start building a cybersecurity workforce that is properly supported and invested in – and in turn, can address the growing threat landscape without being overworked and understaffed.

Start Cybersecurity Education Early

I’ve said it a million times – cybersecurity is everyone’s responsibility. And I really mean everyone ! Our kids are growing up in an increasingly technological world – we need to provide them with the resources and education to navigate it in a smart and safe way.

Educating our kids early about cybersecurity is key to:

• Ensuring they understand the gravity of the consequences that can result from poor cybersecurity hygiene
• Inspire those who would excel in an information security career

Provide and Accept Accessible Cybersecurity Training

One of the most common questions I receive and see trending is “how do I start a career in cybersecurity?” You’d think that with a growing cybersecurity skills gap, this wouldn’t be so common !

The fact is, there simply aren’t a lot of education or training programs to equip those looking to enter the industry. Furthermore, the dynamic threat landscape evolves at a pace that makes formal education tactics difficult to keep up.

This problem requires a two-fold solution.

Accessible Training for the Real World

Higher education and job training programs need to develop cybersecurity programs that are comprehensive and accessible. They must consider the dynamic threat landscape and provide education and training in both legacy cybersecurity basics and current approaches and solutions.

The Right Job Candidate isn’t Always the One That Ticks All the Boxes

Hopeful cybersecurity job candidates often face the issue of not “ticking all the boxes.” Many companies are looking for IT talent who can hit the ground running with little to no training. I’m a firm believer in hiring the person first and skills second. My best piece of advice to companies looking to hire is to choose the person who is eager to learn and excited to work over the person who ticks every box on your checklist.

The truth is, that “perfect candidate” is difficult to find and incredibly expensive. Many companies are missing out on some of the best employees simply because they don’t have certain attributes that are easily and quickly learned.

This is especially relevant for those looking to build their cybersecurity team. It should go without saying that I don’t mean – hire the person who has no idea what they’re doing. But that candidate who is 1 year of experience short or doesn’t have every preferred certification but has a great attitude and willingness to learn could be your diamond in the rough !

Address the Current Climate and Make Systemic Changes

As cybercrime continues to increase, the need for cybersecurity and the lack of skilled cybersecurity professionals who are properly invested in – has become more apparent.

Many individuals in the cybersecurity field are dealing with occupational stress and burnout. 65% of surveyed SOC professionals reported that recent stress has caused them to consider quitting their current job.

As we work to increase the cybersecurity workforce, it’s important to address the individuals already within it. Stress and burnout happen, but we as business leaders must:

• Provide support and resources to deal with it together and in a healthy way.
• Learn from the situations that have caused stress and burnout and implement meaningful change to avoid it in the future.

This approach will create a positive cycle of healthy, supportive work environments that will attract future professionals !

Continue Building the Cybersecurity Community

I began my career when the cybersecurity industry was just kicking off – oh boy, now I’m aging myself ! But something that I’ve always appreciated is regardless of how big it has gotten, the individuals in cybersecurity are a community. I have colleagues who I worked with decades ago that I still keep in touch with and support in their endeavors.

For those looking to start a career in cybersecurity, or even if you’ve just begun, I suggest leveraging the community and reaching out to people who are doing what you want to do. Ask them for a quick virtual coffee or phone call, get out to the many infosec events, and engage with the community ! This is one of the best ways to learn about the industry, identify relevant trends, and connect with others who can support you in your cybersecurity career.

The Short Term Cybersecurity Skills Shortage Solution

Today, in-house cybersecurity teams are tasked with a difficult challenge – catching up with business operations that have been transitioned to less secure and more complex networks with almost unbelievable speed. This requires investment in:

• Talent with comprehensive technical skills and experience
• Technology and software specific to an enterprise’s unique cybersecurity needs
• Processes that enable your cybersecurity team to secure your business across all departments and employees

For many organizations, investing in all three in-house is simply not feasible.

While we work to fill the cybersecurity skills gap, there are many ways you can comprehensively secure your organization today.

Enable Your Current Cybersecurity Team

A strong cybersecurity program evolves with the dynamic risk landscape. Providing regular cybersecurity job training that supports your current cybersecurity talent to keep up to date is key.

Encouraging and enabling curiosity and continuous learning will not only ensure your team is informed on the latest trends and trained with the latest security skills but will keep your team feeling challenged and aid in employee retention.

Along with nurturing an open environment that encourages continuous improvement, properly financially investing in your cybersecurity program and team is essential. Ensuring your enterprise is allocating enough funding to provide the team and technological capacity to secure your organization is one of the best investments you can make. A recent study found that the average cost saving from preventing a ransomware attack is $396,675. If your IT security team isn’t able to provide both cyber risk prevention and response, you are not receiving truly comprehensive coverage.

Engage a Managed Security Service Provider

Engaging a Managed Security Service Provider (MSSP) is a great way to supplement your in-house cybersecurity team and optimize your business operations. Having a mix of both humans and technology in-house to monitor and be ready to respond 24/7 is not always within an organization’s means.

Deploying an MSSP as an extension of your enterprise’s in-house team will provide you with:

• Access to trained security analysts and specialized experts
• A threat-centric approach that spans people, processes, and technology for faster detection and response to disrupt and block attacks 24/7/365
• Improved cybersecurity ROI from enhanced technology utilization and process optimization
• Executive metrics to measure progress and identify what risks remain to the organization in order to communicate effectively to board/executive level
• Immediate availability of hands-on incident response

While the Cybersecurity skills gap is a daunting problem there are steps we can take toward addressing and solving it. Take a moment to consider your current approach to IT security. Are you investing in the right people, processes, and technology? Will your current approach contribute to the growing labor shortage or to the development of a healthy, thriving information security industry? Let’s work together to achieve the latter.

To Your Success,

I’ve been in infosec for over 30 years and have had the great privilege of evolving and learning as a cybersecurity executive in a space I love. I’m the CEO of Cyderes, one of the world’s most innovative cybersecurity operations leaders. We pride ourselves on keeping enterprises around the world secure from the threat of cybercrime.

This blog has been set up to help me share the insights I’ve gained and experiences I’ve had with all of you. Every month, I will post some advice and recommendations for my fellow Cyber CEOs – from current events to forecasted trends, and enterprise security best practices.

Let’s collaborate and communicate as we strive to keep our organizations (cyber) safe.