Technology is evolving at a pace that security experts are struggling to keep up with. As we mentioned in an earlier blog, IoT creates a huge risk for any business, especially those in manufacturing since the small devices are easily hacked.
Increased vulnerability has lead the cybersecurity industry to a 3 million person shortage, which is expected to worsen by 28% for 2026.
So, how can your company get solid protection despite the shortage?
In this blog, we describe the shortage better, and share how you can overcome the talent gap.
Table of Content
- Why is There a Labor Shortage in Cyber Security?
- Areas of Cyber Security Most Impacted by the Shortage
- Can AI Help Reduce the Labor Shortage?
- Actions for CEOs to Mitigate the Risks in their Organizations
There is no one reason why there is such an incredible cybersecurity labor shortage, but rather a number of reasons contributing to a perfect storm:
- Digital transformation is happening in all industries, across companies both large and small. Companies are making a shift to web and cloud-based applications and are using data-driven analytics to provide better interactions with their customers. These transformations are great for customers, but are also increasing the number of ways companies can be attacked.
- IoT is still relatively new, generates massive amounts of data, and the simple devices are relatively insecure. Cybersecurity expertise is critical to securing the networking, the data, and the IoT devices themselves.
- In an age where data is “the new oil”, hackers are quickly gearing up with more sophisticated attacks and new tools to cash in on the lucrative business of selling stolen data to the highest bidder. Being staffed to address the sheer volume of attacks is driving greater demand for cybersecurity experts.
Large companies are scrambling to snap up available personnel amidst a cybersecurity workforce shortage, paying top dollar for security engineers. The risk of not acquiring the right talent is the possibility of a breach that could take years to recover from.
Smaller companies are actively being targeted by hackers as a route to gain access to these companies larger partners and customers. Unfortunately, these smaller companies can’t compete with high salaries offered by big businesses and find themselves exposed.
Help is on the way, but not soon enough. Colleges and universities now have cyber-related degrees, and concentrations in cybersecurity. This has created a pipeline of new talent, though this pipeline alone will not address the current cybersecurity talent gap. Other programs to encourage women and veterans to enter cybersecurity have also been put in place to help mitigate the shortage. This training still takes time, and it will be years before the effects of these programs provide relief to the labor market.
Evolving regulatory requirements have touched almost every industry in the world, and as a result most companies have assigned information security responsibility to an executive in the company - either in a dual role, such as COO and Chief Information Security Officer or as a full-time CISO. These policy-heavy roles have driven the majority of cybersecurity programs in colleges to focus on policy planning and compliance audits, and less on hands-on activities. Because of this, the biggest gaps in cybersecurity talent appear in the practical hands-on roles for performing real-world security tasks:
- Security incident triage, assessment, and remediation
- Network security policy implementation and enforcement
- Vulnerability and penetration scanning
- Configuration assessment and remediation
- Desktop / laptop / server OS security implementation
Many candidates will possess a subset of these hands-on skills, leaving it to the employer to decide which ones are the most critical now while the others are learned. Finding the right combination at the right salary will be a challenge, depending on how competitive a company can afford to be.
One of the biggest cybersecurity skill gaps in candidates is soft skills, or the ability to interact and communicate to non-technical peers. This is one of the hardest skills to learn, and should be prioritized when evaluating a candidate’s abilities. A candidate with good soft skills can be taught additional technical skills.
AI and machine learning are revolutionizing the cybersecurity industry as a whole. These tools can assess billions of log entries across multiple locations in a fraction of the time a team of humans could accomplish the same task. Using a combination of pattern matching, heuristics and anomaly detection, AI can detect more security threats earlier, and faster than ever. This capability is great for a company’s security posture, but each of those threats needs to be analyzed and investigated individually, requiring human interaction by a cybersecurity expert.
One of the universal benefits of AI is that it can help by enabling one person to do the work of many. In cybersecurity, that one person needs to be a highly skilled security expert to be able to address threats identified by AI. Ultimately, AI will increase demand on the already strained labor pool for cybersecurity.
There are some actions CEOs should take to protect their companies:
- Get a Security Assessment. For a one-time fee you can invite a security expert to analyze vulnerabilities in your network. Good ones will provide you a security roadmap that you can implement, and this will cover you for over half of the typical threats.
- Get Your IT Team Cyber Educated. Send your IT manager to a security conference, pay for a security certificate program, etc.
- Consider an MSP with cyber security expertise. Some managed services providers are well equipped to perform security and vulnerability scans, and respond to security threats and incidents as they arrive. An MSP can serve as a long-term solution.