There is a huge problem in cybersecurity. It has been festering for years and it isn’t going away anytime soon. This problem isn’t the latest zero day threat, malicious attackers, or even a rogue nation-state. There is a scarcity of cybersecurity professionals available to meet the increasing need for improved cybersecurity among businesses. The lack of qualified cybersecurity personnel has been a concern for years. Recently, the problem has intensified as organizations become more aware of their own vulnerabilities.
According to an analysis of numbers from the Bureau of Labor, there are 209,000 US cybersecurity jobs without candidates and jobs are up 74% over the past five years. The same analysis indicated that the demand for cybersecurity professionals would explode by an additional 53% through 2018.
The result is that many businesses are finding themselves short handed and lacking in the core skills they need to protect themselves against cyber threats. There is a critical need for better education and talent development from both the public and private sector in order to remediate this shortfall.
Understanding the cause & effect of the skills shortage
Demand for highly experienced cybersecurity professionals far outpaces the available supply. According to a recent study by the Enterprise Strategy Group, “46% of organizations now claim that they have a problematic shortage of cybersecurity skills.” Cybersecurity is a complex and volatile field – it’s always changing. Cybersecurity threats, goals, and needs vary greatly across industries, making it difficult to find the right people with the exact experience and skillset.
What makes a great cybersecurity professional?
The attributes that make a great cybersecurity professional are incredibly difficult to find in a single individual:
Ability to connect with varied audiences – Cybersecurity professionals must have the ability to speak at board, manager, and technical levels. They need to be able to understand and solve complex technical problems. They must also be able to explain those problems in business and operational terms that the rest of the company can understand.
Practical experience – You can’t fake this. Cybersecurity is something that you need to do, hands-on. You need to have experience and develop instincts. That takes time. According to a study by ISACA and the RSA Conference, 65% of entry-level cybersecurity applicants lacked the requisite skills for the position.
Mindset - Cybersecurity professionals need to have experience working in the field and to possess just a bit of a malicious mindset. Simply put, they need to be able to think like the attackers they are combatting.
Why it’s so hard to attract & retain top talent
Risk - It has become an accepted fact that, despite best efforts, most organizations will suffer an attack. And, the cybersecurity professionals in charge will usually take the blame. In recent times, there have been heated debates around whether these professionals can be held personally responsible and face potential criminal proceedings in the wake of a data breach on their watch.
Catch 22 – Cybersecurity is still a fairly new and evolving field. Much of today’s workforce did not have the opportunity to obtain direct education in the field. Now that degree and training programs have become available, we are seeing more qualified professionals enter the job market. However, not nearly at the pace they are needed.
Less than ideal working conditions – These conditions are a symptom of the shortage. Because there aren’t enough qualified professionals, the ones who are working are called upon to work long hours, to be on call, and to deliver massive projects, often without the resources needed to do so. The urgency of cybersecurity often results in unrealistic project requirements and deadlines.
Lack of advancement & training – Again, largely due to the shortage of staff and available budget, cybersecurity professionals are not afforded regular training and professional development opportunities. Couple this with the fact that there aren’t enough qualified people to fill the jobs and you have a recipe for job-hopping. The qualified cybersecurity professionals can name their price and will take only the jobs they truly want – the ones that afford them advancement opportunities.
What about me? How the cybersecurity skills shortage impacts my business.
Because of these staffing challenges, organizations find themselves grossly under staffed and lacking in critical cybersecurity skills. The shortage of skilled cybersecurity professionals means that most organizations are at greater risk of a breach than they should be. The impact can be seen across the board in rising costs of data breaches, increases in the number and severity of incidents, and the flailing and floundering responses organizations muster following a breach.
IT market research of mid to small sized company IT professionals in EMEA and the US revealed that organizations are gravely behind the curve when it comes to information security:
- 80% of respondents reported at least one security incident in 2015
- A poor 29% of respondents had at least one cybersecurity expert in their IT department
- Only 7% had a cybersecurity expert on their executive team
- A shocking 55% reported having no regular access to any IT security experts (internal or third party)
- Of those who did report having IT pros, 67% of those professionals say they have no security certifications
What can you do about it?
The cybersecurity skills shortage has painted a bleak picture for the future security of organizations. The industry is working to make up for the labor shortage in other ways. One such option is the self-protecting, self-healing network. The Defense Advanced Research Projects Agency held the “Cyber Grand Challenge” to drive the development of programs that can identify and fix vulnerabilities in other programs on their own, thus reducing the need for humans to perform that task. The industry has also made great strides in using big data, advanced behavioral analytics, and other machine learning techniques to increase efficiencies and reduce the burden on the workforce. Some of these technologies are working today, but they are far from being accessible and affordable for all businesses.
There are also programs in place to incentivize people to choose careers in cybersecurity. The National Initiative for Cybersecurity Education (NICE) is geared toward improving access to cybersecurity education and job opportunities in order to increase the number of skilled cybersecurity professionals in the job market.
However, technology drives competitive advantage and we cannot shy away from the problem. Each organization needs to determine the appropriate level of action to solve their respective cybersecurity skills challenge.
Get commitment at the board level
As the threats continue to grow and the rate of incidents continue to skyrocket, the related brand, reputation, and fiscal impact of cybersecurity gaps, staffing, and otherwise, are critical board level issues. Ensuring that your existing team is able to articulate the cybersecurity risks in quantifiable ways that the board can understand will be critical to gaining buy in for security initiatives, and paving the way for the programming necessary to attract and retain top cybersecurity talent.
Remove friction from the hiring process
While it may not be feasible to offer the highest salaries, there is a lot you can do to attract and retain top talent. There are so many points of failure in the recruiting, hiring, and onboarding process that can leave a bad taste in a prospective or new employee’s mouth. Working closely with your HR team can help iron out these wrinkles and ensure that your prospective and new employees feel highly valued, making it easier to get them to sign on the dotted line.
Be an employer that employees don’t want to leave
While it’s easy to say you should pay competitive salaries and offer generous vacation packages and perks, it takes a lot more than money to keep employees from leaving. Creating a company culture that is magnetic and where employees thrive is key to staff retention. Take a few lessons from Online’s “People Care Playbook”:
- Recognize and reward employees for their hard work.
- Ensure that there are clear and defined career paths.
- Make work-life balance a priority by creating an environment where employees can work and feel intertwined with the organization, while still having a fulfilling personal life.
- Find opportunities to engage employees in fun or service oriented activities outside of the office environment.
- Ensure that you have a solid infrastructure to support and include remote employees in company activities.
Provide career development opportunities
Set your organization apart by developing career opportunities that allow your staff to take time to pursue research opportunities that challenge and excite them. In addition to happy employees, your business will benefit from the cutting edge discoveries and an invigorated corporate culture centered on continuous improvement.
Because cybersecurity is a research and experience-based field, there are so many opportunities for cybersecurity professionals to break new ground and to share and publish their thinking to the industry. Being recognized at an industry conference, publishing a research paper, being nominated for an award, or contributing to blogs are all great ways that cybersecurity professionals can develop a personal brand as an expert. While you may worry that these employees will jump ship in pursuit of a higher salary, this is not usually the case. Organizations that allow employees these opportunities are few and far between. Most cybersecurity professionals are not willing to sacrifice the ability to learn, grow, and build their own reputation for a slightly larger paycheck.
Conduct a risk assessment to better understand where to focus your efforts
By starting from a place of awareness, you can make informed decisions on how to utilize the resources you have and what resources you need to acquire to have the most meaningful impact on your overall security posture.
While it can be overwhelming and time consuming to conduct a full blown risk assessment, Online’s Quick Start Risk Assessment Program provides you with early insights and the critical information you need to get the greatest risk return on your security investments.
Build tomorrow’s workforce today
It can be difficult to think about your needs five years from now, but as the current skills shortage has demonstrated, it is critical. Smart businesses will take advantage of the bevy of cybersecurity programs to mine and nurture new talent. A two pronged approach that addresses the advancement and promotion of existing staff, as well as internships and partnerships with cybersecurity degree programs will give your business a leg up on cultivating a highly skilled workforce that is ready to tackle your toughest cybersecurity challenges.
If all else fails, partner with an expert
The cybersecurity skills shortage is an epidemic. Even leveraging the techniques we’ve already discussed aren’t enough to bridge the gap. If that is the case for your organization, it may be time to consider brining in some third party assistance. These resources can help you address critical gaps. For example, you may be simply need emergency resources on-call to help with a major breach, or you may want to offload the basic repeatable tasks to a third party to allow your team to manage the more strategic initiatives. No matter what your current maturity, goals or needs, there is a partner out there that can meet those needs.
Bridging the Skills Gap
The industry, both public and private sectors, is taking broad steps to solve the cybersecurity skills gap, but it’s up to each of us to ensure that our organizations are protected today. Learn more about how partnering with a firm like Online Business Systems can help you bridge the gap and ensure your organization is on solid ground.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.