Over the past five years, organizations have become more aware of cybersecurity, and yet DDoS, spear-phishing attacks, botnets, and other attack vectors have continued to get worse. Digital insecurity will continue for the foreseeable future, with the biggest reason being that we don’t have enough well-trained, skilled cybersecurity professionals to go around.
There are a few reasons for this gap.
First, from a hiring perspective, the trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues — what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing.
Second, certain companies may not know what to look for in a professional.
Third, when skilled professionals are hired, they can often be overworked to the point where they don’t have the time to keep up with the latest developments in the field — and even in their own security tools.
The result is that most positions go unfilled. In fact, according to the Information Audit and Control Association (IACA), about a quarter of all cybersecurity positions are left unfilled for about six months. The IACA study isn’t the only report with these dismal takeaways.
Another study by the Information Systems Security Association and Enterprise Strategy Group, reports that about 70 percent of surveyed organizations say the cybersecurity skills gap has impacted their business, with 54 percent reporting they’ve suffered at least one security event in 2016. Fifty-five percent of respondents also said the lack of skilled workers added to their security team’s workload so much that, in some cases (35 percent), their team couldn’t familiarize themselves with the security tools they use.
These are all systemic issues needing systemic answers that could take years to resolve. Still, these problems need to be addressed, and they won’t be until we change how cybersecurity experts are hired, retained, and educated.
Setting expectations is a good first step. Companies should have a clear understanding of what they need from a security professional and set their expectations accordingly. Typically, this will range from evaluating network and system ecosystems to routinely testing and prodding the companies’ security to establishing protocols and analyzing network attacks. Here, professional experience and the ability to communicate effectively within the organization are very important.
Companies should also have a robust mix of technical and theoretical problem solving questions for candidates. It should be long. It should be exhaustive. It should be tiring — but it’s necessary. The reason is simple: Candidates should have the endurance, determination, and focus to lay out how they came to their conclusions and the ability to explain their reasoning — clearly — in order to do their job. Good hackers think creatively to overcome technical problems, and your security engineers need to do the same in order to defend the company properly. Sticking with a problem for awhile and not giving up is a key trait to look for. Just remember: “Thinking like a hacker” is a must in this industry.
Another tactic is to give security teams the tools they need to succeed — and sometimes that just means giving them room to work. Giving employees the time to test new techniques, research new attacks, and analyze events is an important part of healthy security. Cybersecurity is a unique industry because it must identify and mitigate a variety of vulnerabilities in technologies that are constantly changing. Attack vectors come and go, but sometimes they resurface. Patches need issuing, and suspicious behavior needs analyzing — especially when executive-level endpoints are in play. Companies that don’t provide the space and the time for their security staff to keep their skills sharp, are setting themselves up to fail. Companies with successful security teams give them the time to conduct internal evaluations and regularly send them to security conferences for fresh perspectives and hands-on training.
The fundamental problem facing the skills gap, however, is that there aren’t enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed. The first half is a long-term solution requiring a good deal of cooperation with career counselors in both high schools and post-secondary schools. The second half, however, is more of a short- to mid-term solution, but it’s just as viable — in some cases — as hiring dedicated security professionals. This is because cybersecurity shares many skills common to tech positions: creative thinking, technical know-how, and a dogged obsession with solving difficult problems.
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee — especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
Closing the cybersecurity skills gap isn’t going to happen overnight — or likely even over the next decade. It’s going to be a long process because it’s going to take a fundamental shift in how businesses recruit, hire, and keep security talent. But it’s worth it in the long run for the company, its employees, and its customers.