The shortage of talent available with cybersecurity skills has been widely publicized. Worse still, the gap is forecast to grow. Cybersecurity Ventures, for one, identified a current estimated 350,000 open cyber security positions in the US, and a predicted global shortfall of 3.5 million cyber security jobs by 2021. These strategies can help your organization better address the cybersecurity skills gap.
Why The Cybersecurity Skills Shortage?
Cyberthreats were one of the four top threats to business growth prospects in PwC’s 2018 CEO survey. Its jump to the fourth spot was a leap up six places from just the year before. And surely 2018’s no. 5 threat, “availability of key skills” and no. 6’s “speed of technological change” are both relevant to this increasing CEO concern.
Yet, there’s a problem of supply and demand. The problem is attributed to several factors:
- Escalation in cyber threats prompting unprecedented need for individuals with skills, talent and experience
- Chronic under-investment in training and education
- Market misalignment
- Outsourcing undermining internal skills development
- Lack of self-marketing
The advances in technology, such as artificial intelligence, IoT, data mining, and machine learning are only further widening the gap. According to the Cybersecurity Workforce Alliance, for instance, the number of students entering courses, participating states and schools, and demonstrating initial awareness of cybersecurity as a career is currently only 1%.
“Nowhere is the workforce-skills gap more pronounced than in cybersecurity.” — Wharton
What’s To Be Done?
So, what can be done to address the huge demand for cybersecurity skills across private and public sector industries. These strategies may help.
1. Invest in Training
Companies need to build up their own internal cybersecurity skills base. This means comprehensive training. Only individuals with a thorough understanding of compliance and standards and end-to-end security issues can create, support, and maintain the robust security posture your business needs. RedTeam, for example, offers social engineering and Red Team training courses. The Red Team course guides students through a full-cycle Red Team Operation from the planning phase to the reporting phase.
2. Prioritize Skills, Knowledge, and Willingness to Learn
By looking only to hire graduates of four-year-college tech programs, the business fails to consider the varied skills and perspectives people with nontraditional backgrounds may bring.
IBM, for example, has worked to prioritize attributes that can’t be taught in a classroom — “unbridled curiosity, passion for problem solving, strong ethics, and understanding of risks.” In the Harvard Business Review, an IBM columnist noted, “People with these traits can quickly pick up the technical skills through on-the-job training, industry certifications, community college courses, and modern vocational and skills education programs.”
3. Re-Assess IT Effectiveness
Gartner fellow and research vice president Tom Scholtz suggests taking a “lean approach” to staffing instead of trying to meet “ever-growing threats” with “an ever-growing security team.” He notes that simply getting bigger is not the best solution; “many routine security functions can, in fact, be performed as well, if not better, by other IT or business functions.”
For example, user awareness communications could be shifted to human resources or another internal department to facilitate IT teams having more bandwidth to make the essential risk-based decisions.
4. Fully Integrate Cybersecurity Thinking
Cybersecurity should not be the sole responsibility of the IT team — no matter its size. It may be IT leading the charge, but the entire organization needs to recognize and understand the importance of cybersecurity. All business process, data, and application owners have a role to play in protecting enterprise resources.
“Security is truly everyone’s problem; virtually every aspect of personal and professional data is at risk.” — HBR
5. Identify Cybersecurity Threats
Your employees are a great asset, yet they can also present a real cybersecurity threat. You might consider:
- Are your humans overworked? If so, they may make mistakes that cause security problems.
- Are your business units in deep silos? The lack of communication across the enterprise could prove dangerous to enterprise-wide cybersecurity.
- Are roles and responsibilities clearly delineated? When both IT and non-IT staff perform security functions, there could be a lack of coordination and reliable governance.
- Are security decisions being made with internal insight? If IT is an insular unit lacking strong communication channels to business units, they may not be making the best security decisions for those departments.
Penetration testing is another effective way to address the cybersecurity skills gap. After all, instead of requiring your already overworked and short-staffed IT team to try and identify all possible vulnerabilities in a network, application, or device they know intimately, you can turn to external experts.
RedTeam Security offers application penetration testing, network penetration testing, physical penetration testing and IoT/Device penetration testing to help your team identify and fix vulnerabilities. Contact us today to make penetration testing part of your defense arsenal.