No one is immune to security problems: From Facebook‘s leaky databases, to JBS and Microsoft‘s big breaches, to the infamous Colonial pipeline data hack — everyone is susceptible. And as remote operations have become a necessity over the past two years, malicious actors have taken advantage of rushed implementations and poorly secured systems, infiltrating databases with greater ease than ever before.
Today, cybersecurity is a $1 trillion problem that underscores the importance of recruiting, hiring, and developing cybersecurity talent. From ransomware infections to cryptomining on compromised accounts, most security mishaps can be traced to human error. As employees feel overwhelmed and overworked, mistakes — such as cloud misconfigurations or leaving data cache permissions open — are bound to happen.
Yet as the world seeks out more cyber expertise to help, the security skills gap only continues to grow. Ninety-five percent of security professionals
say the shortage is now worse than the early days of the pandemic. As everyone feels the pain of this immense crunch, what can companies do to secure the talent they desperately need? It comes down to making two key changes: getting more open-minded with how they identify and develop talent, and assigning some of their cybersecurity maintenance to managed services providers.
Two Shifts to Close the Skills Gap
Much like many of today’s shortages, the cybersecurity talent dilemma comes down to a simple supply and demand equation. While the demand for security skills is at an all-time high for the fifth year in a row, there is an insurmountable scarcity of talent that possesses those skills, which include multiple security domains, specialized cloud ops and security, networking, compliance setups, and DevSecOps knowledge. Nearly all organizations (87%) are affected by this shortage.
Adding to the issue, the world’s biggest and most cash-flushed enterprises — companies like Capital One, Amazon, and Deloitte — are going on massive hiring sprees to onboard more security talent. In fact, the demand is so high that experienced cybersecurity talent can ask for astronomical salaries from these gigantic players, pricing the majority of companies out of the talent competition.
As the demand for these skills continue to outpace available talent, it’s time for companies to rethink how they hire and facilitate internal growth. Security jobs have historically been fraught with high and often unnecessary requirements, creating barriers to entry for otherwise qualified candidates.
For example, some entry-level job postings require highly specific professional certifications and extensive hands-on security experience that can only be obtained through years on the job. In fact, researchers say more cybersecurity talent is available, but job criteria such as four-year degrees, security certifications, and previous experience are artificially limiting the talent pool. Gartner advises security leaders to expand “where and how they look for cybersecurity” talent and start considering candidates with the potential to pick up skills on the job. Similarly, it’s wise to invest in internal development, too, training promising internal talent on lacking skills instead of searching for external hires.
In tandem with shifting hiring and employee growth approaches, companies also need to shift their mindsets. Too many smaller companies see improving cybersecurity as a down-the-road concern — they assume breaches only happen to big-name firms, and so they focus on growth and prioritize product updates instead. But SMBs are not immune to being targeted by cyberattacks. In fact, one in five breach victims last year were SMBs, and they do themselves a disservice by not making cybersecurity a priority.
And companies don’t have to go it alone when it comes to cybersecurity. It can be a shared responsibility, with vendors playing a role in ensuring that companies get the protection they need to keep compute instances and data safe. SMBs that already rely on managed service providers to set up or operate their cloud ecosystem can close the skills gap by capitalizing on their providers’ security capabilities, too. An effective managed services provider can shoulder the weight of securing systems and networks, offer guidance and training from certified professionals, managing security updates, maintaining backups, and meeting compliance requirements, too.
Don’t Wait for New Talent — Prioritize Cybersecurity
Navigating the talent shortage requires companies to look both inward and outward. Internally, a greater focus on development and training is essential for helping security teams grow their knowledge and skills. But externally, there’s work to be done, too. From how they hire to how they lean on managed service providers, companies have opportunities to change the shortage status quo in meaningful ways. A critical success factor of the security leaders’ job is centered around minimizing the critical talent gap through methodically designed security talent incubation and development programs, and engaging security-minded professionals from other business functions or security service providers.
The cybersecurity talent shortage isn’t going anywhere — don’t let that make your business vulnerable to threats.
About the Author
As senior director of information security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai’s cloud compute operations. Zhou leads a team of security professionals spanning enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to the role, and previously served in CISO roles at Evive and Transworld Systems.
Source: www.darkreading.com